{ "id": "b2897267-05c4-4454-bad2-c9d540bfc028", "created_at": "2026-04-06T00:07:33.992664Z", "updated_at": "2026-04-10T03:30:32.968936Z", "deleted_at": null, "sha1_hash": "ddce6e1b3a79d029ddc6e8da7eddc5cd18160485", "title": "Insidious Android malware gives up all malicious features but one to gain stealth", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1330805, "plain_text": "Insidious Android malware gives up all malicious features but one\r\nto gain stealth\r\nBy Lukas Stefanko\r\nArchived: 2026-04-05 14:25:55 UTC\r\nESET Research\r\nMobile Security\r\nESET researchers detect a new way of misusing Accessibility Service, the Achilles’ heel of Android security\r\n22 May 2020  •  , 5 min. read\r\nESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious\r\nactions, notably wiping out the victim’s bank account or cryptocurrency wallet and taking over their email or\r\nsocial media accounts. Called \"DEFENSOR ID\", the banking trojan was available on Google Play at the time of\r\nthe analysis. The app is fitted with standard information-stealing capabilities; however, this banker is\r\nexceptionally insidious in that after installation it requires a single action from the victim – enable Android's\r\nAccessibility Service – to fully unleash the app's malicious functionality.\r\nThe DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth. Its\r\ncreators reduced the app’s malicious surface to the bare minimum by removing all potentially malicious\r\nfunctionalities but one: abusing Accessibility Service.\r\nhttps://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nPage 1 of 9\n\nAccessibility Service is long known to be the Achilles’ heel of the Android operating system. Security solutions\r\ncan detect it in countless combinations with other suspicious permissions and functions, or malicious\r\nfunctionalities – but when faced with no additional functionality nor permission, all failed to trigger any alarm on\r\nDEFENSOR ID.\r\nBy “all” we mean all security mechanisms guarding the official Android app store (including the detection engines\r\nof the members of the App Defense Alliance) and all security vendors participating in the VirusTotal program (see\r\nFigure 1).\r\nFigure 1. According to the VirusTotal service, no security vendor detected the DEFENSOR ID app until it was\r\npulled off the Play store\r\nDEFENSOR ID was released on Feb 3, 2020 and last updated to v1.4 on May 6, 2020. The latest version is\r\nanalyzed here; we weren’t able to determine if the earlier versions were also malicious. According to its profile at\r\nGoogle Play (see Figure 2) the app reached a mere 10+ downloads. We reported it to Google on May 16, 2020 and\r\nsince May 19, 2020 the app has no longer been available on Google Play.\r\nThe developer name used, GAS Brazil, suggests the criminals behind the app targeted Brazilian users. Apart from\r\nincluding the country’s name, the app’s name is probably intended to imply a relationship with the antifraud\r\nsolution named GAS Tecnologia. That security software is commonly installed on computers in Brazil as several\r\nhttps://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nPage 2 of 9\n\nbanks require it to log into their online banking. However, there is also an English version of the DEFENSOR ID\r\napp (see Figure 3) besides the Portuguese one, and that app has neither geographical nor language restrictions.\r\nPlaying further off the suggested GAS Tecnologia link, the app promises better security for its users. The\r\ndescription in Portuguese promises more protection for the user’s applications, including end-to-end encryption.\r\nDeceptively, the app was listed in the Education section.\r\nFigure 2. The DEFENSOR ID app on Google Play – Portuguese version (translates roughly as: “Your new\r\nDefensor app available for: / Individuals / Legal entities / From now on you will have more protection when using\r\nyour applications, encryption for end-to-end users”)\r\nhttps://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nPage 3 of 9\n\nFigure 3. The DEFENSOR ID app on Google Play – English version\r\nFunctionality\r\nAfter starting, DEFENSOR ID requests the following permissions:\r\nallow modify system settings\r\npermit drawing over other apps, and\r\nactivate accessibility services.\r\nhttps://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nPage 4 of 9\n\nIf an unsuspecting user grants these permissions (see Figure 4), the trojan can read any text displayed in any app\r\nthe user may launch – and send it to the attackers. This means the attackers can steal the victim’s credentials for\r\nlogging into apps, SMS and email messages, displayed cryptocurrency private keys, and even software-generated\r\n2FA codes.\r\nThe fact the trojan can steal both the victim’s credentials and also can control their SMS messages and generated\r\n2FA codes means DEFENSOR ID’s operators can bypass two-factor authentication. This opens the door to, for\r\nexample, fully controlling the victim’s bank account.\r\nTo make sure the trojan survives a device restart, it abuses already activated accessibility services that will launch\r\nthe trojan right after start.\r\n \r\nhttps://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nPage 5 of 9\n\nFigure 4. The permission requests by DEFENSOR ID\r\nOur analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled\r\nserver such as uninstalling an app, launching an app and then performing any click/tap action controlled remotely\r\nby the attacker (see Figure 5).\r\nhttps://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nPage 6 of 9\n\nFigure 5. The list of commands DEFENSOR ID may get from its C\u0026C server\r\nIn 2018, we saw similar behavior, but all the click actions were hardcoded and suited only for the app of the\r\nattacker’s choice. In this case, the attacker can get the list of all installed apps and then remotely launch the\r\nvictim’s app of their choice to either steal credentials or perform malicious actions (e.g. send funds via a wire\r\ntransfer).\r\nWe believe that this is the reason the DEFENSOR ID trojan requests the user to allow “Modify system settings”.\r\nSubsequently, the malware will change the screen off time-out to 10 minutes. This means that, unless victims lock\r\ntheir devices via the hardware button, the timer provides plenty of time for the malware to remotely perform\r\nmalicious, in-app operations.\r\nIf the device gets locked, the malware can’t unlock it.\r\nMalware data leak\r\nWhen we analyzed the sample, we realized that the malware operators left the remote database with some of the\r\nvictims’ data freely accessible, without any authentication. The database contained the last activity performed on\r\naround 60 compromised devices. We found no other information stolen from the victims to be accessible.\r\nThanks to this data leak, we were able to confirm that the malware really worked as designed: the attacker had\r\naccess to the victims’ entered credentials, displayed or written emails and messages, etc.\r\nOnce we reached the non-secured database, we were able to directly observe the app’s malicious behavior. To\r\nillustrate the level of threat the DEFENSOR ID app posed, we performed three tests.\r\nFirst, we launched a banking app and entered the credentials there. The credentials were immediately available in\r\nthe leaky database – see Figure 6.\r\nhttps://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nPage 7 of 9\n\nFigure 6. The banking app test: the credentials as entered (left) and as available in the database (right)\r\nSecond, we wrote a test message in an email client. We saw the message uploaded to the attackers’ server within a\r\nsecond – see Figure 7.\r\nFigure 7. The email message test: the message as written (left) and as available in the database (right)\r\nThird, we documented the trojan retrieving the Google Authenticator 2FA code.\r\nFigure 8. The software generated 2FA code as it appeared on the device’s display (left) and as available in the\r\ndatabase (right)\r\nAlong with the malicious DEFENSOR ID app, another malicious app named Defensor Digital was discovered.\r\nBoth apps shared the same C\u0026C server, but we couldn’t investigate the latter as it had already been removed from\r\nthe Google Play store.\r\nhttps://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nPage 8 of 9\n\nIndicators of Compromise (IoCs)\r\nPackage Name Hash ESET detection name\r\ncom.secure.protect.world F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A\r\ncom.brazil.android.free EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A\r\nMITRE ATT\u0026CK techniques\r\nTactic ID Name Description\r\nInitial Access   \r\nT1475\r\nDeliver Malicious App via\r\nAuthorized App Store\r\nImpersonates security app on Google\r\nPlay.\r\nT1444\r\nMasquerade as Legitimate\r\nApplication\r\nImpersonates legitimate GAS\r\nTecnologia application.\r\nDiscovery T1418 Application Discovery Sends list of installed apps on device.  \r\nImpact   T1516 Input Injection\r\nCan enter text and perform clicks on\r\nbehalf of user.\r\nCollection T1417 Input Capture Records user input data.\r\nCommand and\r\nControl\r\nT1437\r\nStandard Application Layer\r\nProtocol\r\nUses Firebase Cloud Messaging for\r\nC\u0026C.\r\nSource: https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nhttps://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/" ], "report_names": [ "insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth" ], "threat_actors": [ { "id": "f276b8a6-73c9-494a-8ab2-13e2f1da4c53", "created_at": "2022-10-25T16:07:24.441133Z", "updated_at": "2026-04-10T02:00:04.993411Z", "deleted_at": null, "main_name": "Achilles", "aliases": [], "source_name": "ETDA:Achilles", "tools": [ "RDP", "Remote Desktop Protocol" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434053, "ts_updated_at": 1775791832, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ddce6e1b3a79d029ddc6e8da7eddc5cd18160485.pdf", "text": "https://archive.orkl.eu/ddce6e1b3a79d029ddc6e8da7eddc5cd18160485.txt", "img": "https://archive.orkl.eu/ddce6e1b3a79d029ddc6e8da7eddc5cd18160485.jpg" } }