S0403 Riltok
Riltok is banking malware that uses phishing popups to collect user credentials.1
| Item | Value |
|---|---|
| ID | S0403 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 07 August 2019 |
| Last Modified | 18 September 2019 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | Riltok communicates with the command and control server using HTTP requests.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.002 | GUI Input Capture | Riltok can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.1 |
| mobile | T1516 | Input Injection | Riltok injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.1 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Riltok can access and upload the device’s contact list to the command and control server.1 |
| mobile | T1636.004 | SMS Messages | Riltok can intercept incoming SMS messages.1 |
| mobile | T1418 | Software Discovery | Riltok can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.1 |
| mobile | T1426 | System Information Discovery | Riltok can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.1 |
| mobile | T1422 | System Network Configuration Discovery | Riltok can query the device’s IMEI.1 |