Skip to content

S0403 Riltok

Riltok is banking malware that uses phishing popups to collect user credentials.1

Item Value
ID S0403
Associated Names
Version 1.0
Created 07 August 2019
Last Modified 18 September 2019
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Riltok communicates with the command and control server using HTTP requests.1
mobile T1417 Input Capture -
mobile T1417.002 GUI Input Capture Riltok can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.1
mobile T1516 Input Injection Riltok injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.1
mobile T1636 Protected User Data -
mobile T1636.003 Contact List Riltok can access and upload the device’s contact list to the command and control server.1
mobile T1636.004 SMS Messages Riltok can intercept incoming SMS messages.1
mobile T1418 Software Discovery Riltok can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.1
mobile T1426 System Information Discovery Riltok can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.1
mobile T1422 System Network Configuration Discovery Riltok can query the device’s IMEI.1