DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.[1]

ID: S0479
Platforms: Android
Contributors: Lukáš Štefanko, ESET
Version: 1.0
Created: 26 June 2020
Last Modified: 26 June 2020

Techniques Used

Domain ID Name Use
Mobile T1437 .001 Application Layer Protocol: Web Protocols

DEFENSOR ID has used Firebase Cloud Messaging for C2.[1]

Mobile T1624 .001 Event Triggered Execution: Broadcast Receivers

DEFENSOR ID abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the android.accessibilityservice.AccessibilityService intent.[1]

Mobile T1516 Input Injection

DEFENSOR ID can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.[1]

Mobile T1513 Screen Capture

DEFENSOR ID can abuse the accessibility service to read any text displayed on the screen.[1]

Mobile T1418 Software Discovery

DEFENSOR ID can retrieve a list of installed applications.[1]