Skip to content


DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.1

Item Value
ID S0479
Associated Names
Version 1.0
Created 26 June 2020
Last Modified 26 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1418 Application Discovery DEFENSOR ID can retrieve a list of installed applications.1
mobile T1402 Broadcast Receivers DEFENSOR ID abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the android.accessibilityservice.AccessibilityService intent.1
mobile T1475 Deliver Malicious App via Authorized App Store DEFENSOR ID was delivered via the Google Play Store.1
mobile T1516 Input Injection DEFENSOR ID can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.1
mobile T1513 Screen Capture DEFENSOR ID can abuse the accessibility service to read any text displayed on the screen.1
mobile T1437 Standard Application Layer Protocol DEFENSOR ID has used Firebase Cloud Messaging for C2.1


Back to top