DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.[1]

ID: S0479
Platforms: Android
Contributors: Lukáš Štefanko, ESET
Version: 1.0
Created: 26 June 2020
Last Modified: 26 June 2020

Techniques Used

Domain ID Name Use
Mobile T1418 Application Discovery

DEFENSOR ID can retrieve a list of installed applications.[1]

Mobile T1402 Broadcast Receivers

DEFENSOR ID abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the android.accessibilityservice.AccessibilityService intent.[1]

Mobile T1475 Deliver Malicious App via Authorized App Store

DEFENSOR ID was delivered via the Google Play Store.[1]

Mobile T1516 Input Injection

DEFENSOR ID can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.[1]

Mobile T1513 Screen Capture

DEFENSOR ID can abuse the accessibility service to read any text displayed on the screen.[1]

Mobile T1437 Standard Application Layer Protocol

DEFENSOR ID has used Firebase Cloud Messaging for C2.[1]