DEFENSOR ID
DEFENSOR ID is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. DEFENSOR ID performs the majority of its malicious functionality by abusing Android’s accessibility service.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1418 | Application Discovery |
DEFENSOR ID can retrieve a list of installed applications.[1] |
|
| Mobile | T1402 | Broadcast Receivers |
DEFENSOR ID abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the |
|
| Mobile | T1475 | Deliver Malicious App via Authorized App Store |
DEFENSOR ID was delivered via the Google Play Store.[1] |
|
| Mobile | T1516 | Input Injection |
DEFENSOR ID can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.[1] |
|
| Mobile | T1513 | Screen Capture |
DEFENSOR ID can abuse the accessibility service to read any text displayed on the screen.[1] |
|
| Mobile | T1437 | Standard Application Layer Protocol |
DEFENSOR ID has used Firebase Cloud Messaging for C2.[1] |
|