S0479 DEFENSOR ID
DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.1
| Item | Value |
|---|---|
| ID | S0479 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 26 June 2020 |
| Last Modified | 26 June 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1437 | Application Layer Protocol | - |
| mobile | T1437.001 | Web Protocols | DEFENSOR ID has used Firebase Cloud Messaging for C2.1 |
| mobile | T1624 | Event Triggered Execution | - |
| mobile | T1624.001 | Broadcast Receivers | DEFENSOR ID abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the android.accessibilityservice.AccessibilityService intent.1 |
| mobile | T1516 | Input Injection | DEFENSOR ID can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.1 |
| mobile | T1513 | Screen Capture | DEFENSOR ID can abuse the accessibility service to read any text displayed on the screen.1 |
| mobile | T1418 | Software Discovery | DEFENSOR ID can retrieve a list of installed applications.1 |