DEFENSOR ID

DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.^[1]

ID: S0479

ⓘ

Type: MALWARE

ⓘ

Platforms: Android

Contributors: Lukáš Štefanko, ESET

Version: 1.0

Created: 26 June 2020

Last Modified: 26 June 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Mobile	T1437	.001	Application Layer Protocol: Web Protocols	DEFENSOR ID has used Firebase Cloud Messaging for C2.^[1]
Mobile	T1624	.001	Event Triggered Execution: Broadcast Receivers	DEFENSOR ID abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the `android.accessibilityservice.AccessibilityService` intent.^[1]
Mobile	T1516		Input Injection	DEFENSOR ID can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.^[1]
Mobile	T1513		Screen Capture	DEFENSOR ID can abuse the accessibility service to read any text displayed on the screen.^[1]
Mobile	T1418		Software Discovery	DEFENSOR ID can retrieve a list of installed applications.^[1]

References

L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.

DEFENSOR ID

Mobile Layer

Techniques Used

References