S0545: TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]
Analyst context for executives and security teams
TERRACOTTA matters because it shows how Android malware can turn mobile devices into large-scale fraud infrastructure, not just steal data from an individual device. The supplied ATT&CK context points to behavior that can hide code, download new code after installation, discover device and network state, maintain execution, communicate bidirectionally, inject UI input, handle SMS, and generate outbound traffic. For security leaders, the decision value is whether mobile endpoints are visible enough to distinguish normal app activity from automated, persistent, fraud-oriented behavior.
Executive priority
Prioritize TERRACOTTA as a mobile security and resilience use case where Android devices, managed mobility, employee-owned devices, or customer-facing mobile ecosystems affect business risk. The main business questions are: do we have evidence of what apps are installed, what permissions they request, what network traffic they generate, and whether mobile incidents can be investigated quickly? This is also relevant to compliance evidence where organizations must show mobile device governance, application control, network monitoring, and incident response readiness.
Technical view
ATT&CK lists TERRACOTTA for Android and relates it to techniques including obfuscated files or information, runtime code download, GUI input capture, software discovery, network and Internet connection discovery, bidirectional communication, input injection, foreground persistence, native API use, SMS control, scheduled tasks/jobs, broadcast receivers, system checks, and traffic generation from the victim. SOC and IR teams should validate whether Android telemetry can expose suspicious app permissions, foreground services, scheduled jobs, broadcast receiver registration, SMS-related capabilities, dynamic code loading, native code use, app inventory queries, network connectivity checks, and unusual outbound web or SMS traffic. Because no official ATT&CK detection text is provided for this malware object, local detections should be built from the related behaviors rather than from a single named-malware signature.
Likely telemetry
- Android device inventory and app installation records
- Mobile device management or enterprise mobility management compliance state
- Application permission requests, especially SMS, accessibility, foreground service, and network-related permissions
- Mobile app behavior or mobile threat defense alerts for dynamic code loading, obfuscation, native code, and sandbox evasion indicators
- Android event evidence for scheduled jobs, broadcast receivers, foreground services, and accessibility API abuse where available
Detection direction
- Validate coverage around behavior clusters rather than relying on the TERRACOTTA name alone, since ATT&CK provides no official detection guidance for this object.
- Tune for combinations such as newly installed Android apps plus obfuscation, runtime code download, scheduled execution, broadcast receiver persistence, and high-volume outbound traffic.
- Review accessibility API and input injection indicators carefully; legitimate accessibility tools can create false positives, so context such as publisher trust, user intent, app category, and concurrent suspicious network behavior matters.
- Correlate SMS permissions or SMS handler changes with outbound traffic generation and bidirectional communication, especially where the device should not be sending automated messages or web requests.
- Account for blind spots in unmanaged or BYOD Android devices, encrypted mobile traffic, limited endpoint logging, and app behavior that changes after installation through downloaded code or system checks.
Mitigation priorities
- Establish mobile asset and app governance first: know which Android devices and applications are allowed, managed, and monitored.
- Restrict or review high-risk Android permissions such as SMS handling, accessibility access, foreground services, and capabilities that enable automated UI interaction where business need is not clear.
- Use mobile device management or equivalent controls to enforce app source policy, device compliance, and removal or quarantine workflows for suspicious applications.
- Prioritize network and mobile telemetry retention so incident responders can reconstruct app installation, permission changes, scheduled execution, and outbound traffic patterns.
- Include mobile malware scenarios in incident response playbooks, especially for devices that may affect identity access, regulated data, financial workflows, or operational communications.
Analyst notes and limits
The supplied ATT&CK object identifies TERRACOTTA as Android malware associated with ad fraud and very high request volume, and the relationship set provides the most useful defensive context. The strongest defensive reading is that this is a mobile behavior cluster involving evasion, persistence, discovery, command-and-control style communication, SMS capability, UI automation, and generated traffic. Glexia would use this object to drive a mobile visibility and response readiness review rather than a narrow signature-only detection exercise.
ATT&CK provides no official detection text, no tactics in the supplied object, and no supplied mitigations for TERRACOTTA. The object supports Android only. Any determination of exposure, active exploitation, attribution, or detection coverage requires local telemetry, app inventory, network data, and mobile management evidence.
TERRACOTTA
TERRACOTTA is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1406 | Obfuscated Files or Information | TERRACOTTA has stored encoded strings.CitationWhiteOps TERRACOTTA |
| Mobile | T1575 | Native API | TERRACOTTA has included native modules.CitationWhiteOps TERRACOTTA |
| Mobile | T1643 | Generate Traffic from Victim | TERRACOTTA has generated non-human advertising impressions.CitationWhiteOps TERRACOTTA |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | TERRACOTTA has displayed a form to collect user data after installation.CitationWhiteOps TERRACOTTA |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.CitationWhiteOps TERRACOTTA |
| Mobile | T1603 | Scheduled Task/Job | TERRACOTTA has used timer events in React Native to initiate the foreground service.CitationWhiteOps TERRACOTTA |
| Mobile | T1633.001 | System Checks Sub-technique | TERRACOTTA checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated stringsCitationWhiteOps TERRACOTTA. |
| Mobile | T1516 | Input Injection | TERRACOTTA can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.CitationWhiteOps TERRACOTTA |
| Mobile | T1541 | Foreground Persistence | TERRACOTTA has utilized foreground services.CitationWhiteOps TERRACOTTA |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | TERRACOTTA has registered several broadcast receivers.CitationWhiteOps TERRACOTTA |
| Mobile | T1418 | Software Discovery | TERRACOTTA can obtain a list of installed apps.CitationWhiteOps TERRACOTTA |
| Mobile | T1481.002 | Bidirectional Communication Sub-technique | TERRACOTTA has used Firebase for C2 communication.CitationWhiteOps TERRACOTTA |
| Mobile | T1422 | System Network Configuration Discovery | TERRACOTTA has collected the device’s phone number and can check if the active network connection is metered.CitationWhiteOps TERRACOTTA |
| Mobile | T1407 | Download New Code at Runtime | TERRACOTTA can download additional modules at runtime via JavaScript `eval` statements.CitationWhiteOps TERRACOTTA |
| Mobile | T1582 | SMS Control | TERRACOTTA can send SMS messages.CitationWhiteOps TERRACOTTA |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 2e417484f813… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
WhiteOps TERRACOTTA
Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.
Open source URL -
[2]
mitre-attack S0545Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.