Skip to content


DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.1

Item Value
ID S0479
Associated Names
Version 1.0
Created 26 June 2020
Last Modified 26 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols DEFENSOR ID has used Firebase Cloud Messaging for C2.1
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers DEFENSOR ID abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the android.accessibilityservice.AccessibilityService intent.1
mobile T1516 Input Injection DEFENSOR ID can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.1
mobile T1513 Screen Capture DEFENSOR ID can abuse the accessibility service to read any text displayed on the screen.1
mobile T1418 Software Discovery DEFENSOR ID can retrieve a list of installed applications.1