Insidious Android malware gives up all malicious features but one to gain stealth – 10 minute mail

ESET researchers detect a new way of misusing Accessibility Service, the Achilles’ heel of Android security

ESET researchers have analyzed an extremely dangerous Android app that can perform a host of nefarious actions, notably wiping out the victim’s bank account or cryptocurrency wallet and taking over their email or social media accounts. Called “DEFENSOR ID”, the banking trojan was available on Google Play at the time of the analysis. The app is fitted with standard information-stealing capabilities; however, this banker is exceptionally insidious in that after installation it requires a single action from the victim – enable Android’s Accessibility Service – to fully unleash the app’s malicious functionality.

The DEFENSOR ID app made it onto the heavily guarded Google Play store thanks to its extreme stealth. Its creators reduced the app’s malicious surface to the bare minimum by removing all potentially malicious functionalities but one: abusing Accessibility Service.

Accessibility Service is long known to be the Achilles’ heel of the Android operating system. Security solutions can detect it in countless combinations with other suspicious permissions and functions, or malicious functionalities – but when faced with no additional functionality nor permission, all failed to trigger any alarm on DEFENSOR ID.

By “all” we mean all security mechanisms guarding the official Android app store (including the detection engines of the members of the App Defense Alliance) and all security vendors participating in the VirusTotal program (see Figure 1).

Figure 1. According to the VirusTotal service, no security vendor detected the DEFENSOR ID app until it was pulled off the Play store

DEFENSOR ID was released on Feb 3, 2020 and last updated to v1.4 on May 6, 2020. The latest version is analyzed here; we weren’t able to determine if the earlier versions were also malicious. According to its profile at Google Play (see Figure 2) the app reached a mere 10+ downloads. We reported it to Google on May 16, 2020 and since May 19, 2020 the app has no longer been available on Google Play.

The developer name used, GAS Brazil, suggests the criminals behind the app targeted Brazilian users. Apart from including the country’s name, the app’s name is probably intended to imply a relationship with the antifraud solution named GAS Tecnologia. That security software is commonly installed on computers in Brazil as several banks require it to log into their online banking. However, there is also an English version of the DEFENSOR ID app (see Figure 3) besides the Portuguese one, and that app has neither geographical nor language restrictions.

Playing further off the suggested GAS Tecnologia link, the app promises better security for its users. The description in Portuguese promises more protection for the user’s applications, including end-to-end encryption. Deceptively, the app was listed in the Education section.

Figure 2. The DEFENSOR ID app on Google Play – Portuguese version (translates roughly as: “Your new Defensor app available for: / Individuals / Legal entities / From now on you will have more protection when using your applications, encryption for end-to-end users”)

Figure 3. The DEFENSOR ID app on Google Play – English version


After starting, DEFENSOR ID requests the following permissions:

  • allow modify system settings
  • permit drawing over other apps, and
  • activate accessibility services.

If an unsuspecting user grants these permissions (see Figure 4), the trojan can read any text displayed in any app the user may launch – and send it to the attackers. This means the attackers can steal the victim’s credentials for logging into apps, SMS and email messages, displayed cryptocurrency private keys, and even software-generated 2FA codes.

The fact the trojan can steal both the victim’s credentials and can control also their SMS messages and generated 2FA codes means DEFENSOR ID’s operators can bypass two-factor authentication. This opens the door to, for example, fully controlling the victim’s bank account.

To make sure the trojan survives a device restart, it abuses already activated accessibility services that will launch the trojan right after start.


Figure 4. The permission requests by DEFENSOR ID

Our analysis shows the DEFENSOR ID trojan can execute 17 commands received from the attacker-controlled server such as uninstalling an app, launching an app and then performing any click/tap action controlled remotely by the attacker (see Figure 5).

Figure 5. The list of commands DEFENSOR ID may get from its C&C server

In 2018, we saw similar behavior, but all the click actions were hardcoded and suited only for the app of the attacker’s choice. In this case, the attacker can get the list of all installed apps and then remotely launch the victim’s app of their choice to either steal credentials or perform malicious actions (e.g. send funds via a wire transfer).

We believe that this is the reason the DEFENSOR ID trojan requests the user to allow “Modify system settings”. Subsequently, the malware will change the screen off time-out to 10 minutes. This means that, unless victims lock their devices via the hardware button, the timer provides plenty of time for the malware to remotely perform malicious, in-app operations.

If the device gets locked, the malware can’t unlock it.

Malware data leak

When we analyzed the sample, we realized that the malware operators left the remote database with some of the victims’ data freely accessible, without any authentication. The database contained the last activity performed on around 60 compromised devices. We found no other information stolen from the victims to be accessible.

Thanks to this data leak, we were able to confirm that the malware really worked as designed: the attacker had access to the victims’ entered credentials, displayed or written emails and messages, etc.

Once we reached the non-secured database, we were able to directly observe the app’s malicious behavior. To illustrate the level of threat the DEFENSOR ID app posed, we performed three tests.

First, we launched a banking app and entered the credentials there. The credentials were immediately available in the leaky database – see Figure 6.

Figure 6. The banking app test: the credentials as entered (left) and as available in the database (right)

Second, we wrote a test message in an email client. We saw the message uploaded to the attackers’ server within a second – see Figure 7.

Figure 7. The email message test: the message as written (left) and as available in the database (right)

Third, we documented the trojan retrieving the Google Authenticator 2FA code.

Figure 8. The software generated 2FA code as it appeared on the device’s display (left) and as available in the database (right)

Along with the malicious DEFENSOR ID app, another malicious app named Defensor Digital was discovered. Both apps shared the same C&C server, but we couldn’t investigate the latter as it had already been removed from the Google Play store.

Indicators of Compromise (IoCs)

Package Name Hash ESET detection name F17AEBC741957AA21CFE7C7D7BAEC0900E863F61 Android/Spy.BanBra.A EA069A5C96DC1DB0715923EB68192FD325F3D3CE Android/Spy.BanBra.A

MITRE ATT&CK techniques

Tactic ID Name Description
Initial Access    T1475 Deliver Malicious App via Authorized App Store Impersonates security app on Google Play.
T1444 Masquerade as Legitimate Application Impersonates legitimate GAS Tecnologia application.
Discovery T1418 Application Discovery Sends list of installed apps on device.  
Impact   T1516 Input Injection Can enter text and perform clicks on behalf of user.
Collection T1417 Input Capture Records user input data.
Command and Control T1437 Standard Application Layer Protocol Uses Firebase Cloud Messaging for C&C.

Lukas Stefanko

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Protect your phone from malicious apps by malware scanner VirusTotal Mobile – Disposable mail news

Google last year removed 85 apps from play store after security researchers found that these apps were adwares in disguise.
These were all sorts of applications from Gaming, TV to remote control simulator apps on the Android Play Store. It goes on to show that even the apps from Google play store are not safe and could be running codes and scripts on your phone.

Some of these apps even had API key certificates and apart from these 85 apps, there are other apps that could be malicious and roaming undetected. It is very imperative to protect our phones and machines from such harmful apps and other files that could have been downloaded from “unknown sources”.
It is always good to carefully grant permissions to applications but still some apps could be running in the background, duplicating virus or downloading malware files into your phone.

 One way to protect your phone from such attacks is by using a malware scanner.
A virus/malware scan is the process where software scans and identifies viruses in a computing devise. Through a scan, you can review and identify threatening viruses and programs. Anti-virus software will also do the work but scanning through a scanner adds an extra cushion of security as they usually have more virus and malware codes and scanned by multiple anti-viruses than lone anti-virus software.

Virustotal Mobile, an android application available on play store is a virus scanner app that scans the application installed on your phone for any malicious file like malware, virus, trojans or worms and notifies you if any such malware exists. Scanning your phone for viruses and running this application to remove any malware on your device is a critical process of maintaining your mobile device. If a virus does get onto your phone and is not removed, then it could result in numerous problems like losing important data, your personal data may be leaked or your device could be compromised.

 The app, Virustotal Mobile scans your application by more than 50 anti-virus flagging suspicious content and even files and Url’s can be checked, not only apps. It is developed by, a trusted virus, malware, and Url scanner. Its good to remember that the app only tells you the malicious content and not removes the malware.

 Simple, effective and fast (without those annoying adds or pings) Virustotal Mobile is a must-have a tool to protect your phone from dubious apps that could be running pre-installed codes.

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Windows 10 Users Beware! Astaroth Malware Campaign is Back and More Malicious! – Disposable mail news

A malware group that goes by the name of ‘Astaroth’ has re-emerged stronger and stealthier than before. This group has been known for exploiting Microsoft Windows tools to further the attack.

Microsoft had gotten aware of these methods and exposed the malware group and its “living-off-the-land” tactics. But the malware resurfaced with a hike in activity and better techniques.

Reportedly, the Windows Management Instrumentation Command-line (WMIC) is the built-in tool that got used the last time as was spotted by the Windows Defender ATP.

Per sources, the analysis done by Microsoft led to the discovery of a spam operation that spread emails with links to websites hosting a “.LNK” shortcut file which would instruct the WMIC and other Windows tools to run “fileless” malware in the memory well out of the reach of the anti-malware.

Sources indicate that having learnt from mistakes, Astaroth now entirely dodges the use of the WMIC. January and February showed a rise in activity.

According to sources, the new styled campaign still commences with a spam email comprising of a malicious website hosting link, LNK file but it the new version it employs a file attribute, “Alternate Data Streams” (ADS), that lets the attacker clip data to a file that already exists so that hiding malicious payloads gets easier.

Per source reports, the first step of the campaign which is a spam email reads, “Please find in the link below the STATEMENT #56704/2019 AND LEGAL DECISION, for due purposes”. The link is an archive file marked as, “”.

It manipulates the ExtExport.exe to load the payload which per researchers is a valid process and an extremely unusual attack mechanism.

Once the victim clicks on the LNK file with the .zip file in it, the malware runs an obfuscated BAT command line, which releases a JavaScript file into the ‘Pictures’ folder and commands the explorer.exe that helps run the file.

Researchers mention and sources confirm that using the ADS permits the stream data to stay unidentifiable in the File Explorer, in this version Astaroth reads and decrypts plugins from ADS streams in desktop.ini that let Astaroth to rob email and browser passwords. It also unarms security software.

Per sources, the plugins are the “NirSoft WebBrowserPassView” tool is for regaining passwords and browsers and the “NirSoft MailPassView” tool is for getting back the email client passwords.

This is not the only legitimate tool Astaroth exploits. A command-line tool that goes by the name of “BITSAdmin” which aids admins to create download and upload jobs with tracking their progress is exploited to download encrypted payloads.

Reportedly, Astaroth has previously wreaked havoc on continents like Asia, North America, and Europe.

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

New Malicious Program ‘Nefilim’ Threatens to Release Stolen User Data – Disposable mail news

Nefilim, a new malicious program that basically is ransomware that functions by encrypting files on affected systems, has become active in the cyber ecosystem since February 2020. After encryption of the files, it demands a ransom from the victims for the decryption of files, tools, and software. However, it is still unclear how the ransomware is being spread, sources reckon that it’s distributed via susceptible Remote Desktop Services.

As per the head of SentinelLabs, Vitali Krimez and Michael Gillespie from ID Ransomware, the code employed in Nefilim resembles much that of Nemty’s, another file-encrypting ransomware that steals user data by restricting access to documents and multimedia using the AES-256 algorithm. As to the speculations of security researchers, it is likely that the authors of the first ransomware have a role to play in Nefilim’s creation and distribution. However, due to the uncertainty revolving around the operation source of the new ransomware, experts also point towards a possibility of the source code being somehow obtained by the new malicious actors to develop a new variant.

While the encryption is underway, all the affected files are added with “.NEFILIM” extension. For instance, a file previously named “xyz.png” would start appearing as “xyz.png.NEFILIM” after the encryption takes place. The completion of the process is followed by a ransom note being created on the infected user’s desktop titled “NEFILIM-DECRYPT.txt”, “A large amount of your private files have been extracted and is kept in a secure location. If you do not contact us in seven working days of the breach we will start leaking the data. After you contact us we will provide you proof that your files have been extracted.” the note reads.

As per the sources, for money matters, Nefilim primarily pins its hopes on email communications instead of a Tor payment site after the removal of the Ransomware-as-a-Service (RaaS) component and it stands out as one major difference. According to the analysis carried out by Gillespie, it has been made clear that as of now there exists no way to retrieve files without paying the ransom because the ransomware is reported to be completely secure. As a result of that, victims are being threatened to pay the demanded amount within a week or else the data stolen will be exposed by the attackers.

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Malicious Data Mining @ HyperIsland – 10 minute mail

Johan Edholm and I (Fredrik Nordberg Almroth) had a talk a while back at HyperIsland, Stockholm (the 18’th of October) for the DDS13 group. The purpose of the talk was to introduce the students to IT security, and how malicious individuals can gather a lot of information on people and various IT systems.

The main subjects of the presentation covered the following topics:

  • Web-Scraping
  • Quick & Dirty SQL Injections
  • iPhone, WiFi & Evil Twins
  • Hacking Neighbours
  • Port scanning on Steroids

HyperIsland - #DDS13
Disposable mail were guest lectures at Hyper Island

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Registers as “Default Print Monitor”, but is a malicious downloader. Meet DePriMon – 10 minute mail

ESET researchers have discovered a new downloader with a novel, not previously seen in the wild installation technique

DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due to its complexity and modular architecture, we consider it to be a framework.

According to our telemetry, DePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.

Some of the domain names used as C&C servers contain Arabic words, which gives an indication of a region‑specific campaign. However, DePriMon deserves attention beyond its targets’ geographical distribution: it is carefully written malware, with lots of encryption that is used properly.

To help defenders stay safe from this threat, we’ve thoroughly analyzed this newly discovered malware, focusing on the downloader itself. Because we’re missing initial stage(s), which we will refer to here as “the first stage”, we don’t know the initial distribution and compromise vector. What kind of final payload is used in the attacks is another question that remains to be answered.

However, it should be noted that, in a few cases, DePriMon was detected with ColoredLambert malware on the same computers within a short time frame. ColoredLambert is used by the Lamberts (aka Longhorn) cyberespionage group and linked to the Vault 7 leak of CIA capabilities. Our colleagues from Symantec and Kaspersky published their analyses in April 2017.

Technical analysis

Stage two

Both DePriMon’s second and third stages are delivered to the victim’s disk in the first stage. The second stage installs itself and loads the third stage using an encrypted, hardcoded path. One of the possible explanations is that it was configured after the first stage of the attack occurred.

The described installation technique is unique. In principle, it is described in the MITRE ATT&CK taxonomy as “Port Monitors”, under both Persistence and Privilege Escalation tactics. We believe DePriMon is the first example of malware using this technique ever publicly described.

The second stage registers the third-stage DLL as a port monitor by creating the following registry key and value:

HKLMSYSTEMCurrentControlSetControlPrintMonitorsWindows Default Print Monitor
Driver = %PathToThirdStageDLL%

Administrator rights are required for creating this registry key.

At system startup, the registered DLL will be loaded by spoolsv.exe with SYSTEM privileges, which, combined with the uniqueness of this method, makes this technique very effective for attackers.

The second stage checks regularly whether there is a file in the %system32% folder with the same name as the third stage DLL file but without the “.dll” extension. This file serves as an uninstallation trigger – should DePriMon find it, it removes both this file and its own components in a secure way by overwriting the binaries and then deleting them.

Stage three

The third stage, responsible for downloading the main payload(s) from DePriMon’s operators, also implements some interesting techniques.

For C&C communication, it uses the Microsoft implementation of SSL/TLS, Secure Channel, instead of common APIs like WinHTTP or WinInet. Its configuration is very complex, as is the way the malware handles it. Finally, the authors have put significant effort into encryption, making the DePriMon malware more difficult to analyze.

C&C communication

DePriMon communicates securely over TLS, however, not on a high level as is a typical scenario in malware. The connection is initialized with a Windows socket and can continue with initialization of an authenticated Security Support Provider Interface (SSPI) session with the Negotiate / NTLM SSP. After that, DePriMon uses Schannel.

SSPI is used/not used according to a particular flag in the configuration file and can utilize the local proxy settings of the machine. The implementation is similar to this example provided by Microsoft.

The malware’s implementation of TLS via Schannel is similar to this example by Coast Research & Development. It includes creating credentials, performing the client handshake and verifying the server certificate.

Figure 1. Part of the SSPI implementation as output by the Hex-Rays decompiler

After the communication is established, the third stage encrypts and decrypts messages manually each time.


The configuration data for DePriMon’s third stage has 27 members, which is an unusually large number for a downloader. It is encrypted with AES-256 and embedded in the binary.

During the first run, DePriMon’s third stage (the downloader itself) decrypts the configuration data with Key 2 (see the IoCs section), encrypts it with Key 3 and stores the encrypted configuration file in a temporary folder. The filename for the configuration file is created via the following process: Starting with the second byte, the value of Key 2 is transformed into a number in base 36 but encoded using custom alphabet “abc…xyz012…789”. The extension of the configuration file is “.tmp”.

An example of a configuration file path: %temp%rb1us0wm99sslpa1vx.tmp.

During the second run, the downloader reads the configuration data from the file, not from itself – this way, the attacker can easily update the configuration.

Thanks to its secure design, the configuration is not left in memory in unencrypted form. Every time the downloader needs to use some element of the configuration file, it decrypts the configuration file, retrieves the member and encrypts the file again.

This design protects the malware’s primary function – C&C communication – against memory forensics.

Figure 2. Part of the code as seen by the Hex-Rays decompiler, which illustrates how the DePriMon malware decrypts the configuration file, saves a few members to local variables and encrypts it again

Of interest in the configuration file are:

  • Two entries for usernames and two members for passwords – for the proxy server if it is set on the machine. It means attackers are preparing to further their attack via a proxy with credentials. However, we haven’t seen functionality for stealing these details, so it appears that it is done in another phase of the attack.
  • Three entries for three C&C servers – each of them used on a different occasion.
  • Three entries for three ports – each of them used on a different occasion.
  • Flags indicating whether the downloader initializes a connection through Security Support Provider Interface (SSPI) with a possible proxy or only with a socket (described later).

It should be noted that besides C&C servers extracted from malware samples, we identified additional domains and servers likely related to this malware.


The malware uses the AES encryption algorithm with three different 256-bit keys for different purposes (these keys are listed in the IoCs section).

  • Key 1: For decryption of various sensitive strings in the malware.
  • Key 2: For encryption and decryption of the configuration data in memory (as described earlier). This key is also used to generate the third key.
  • Key 3: For encryption and decryption of the configuration file on disk.

This key is not hardcoded but derived using a 32-byte array which is then encrypted. The array is generated as follows: the first 4 bytes are the volume serial number of the system drive, and the remaining 28 bytes contain the values 5 – 32. This array is encrypted with Key 2, resulting in Key 3.


DePriMon is an unusually advanced downloader whose developers have put extra effort into setting up the architecture and crafting the critical components.

DePriMon is downloaded to memory and executed directly from there as a DLL using the reflective DLL loading technique. It is never stored on disk. It has a surprisingly extensive configuration file with several interesting elements, its encryption is properly implemented and protects the C&C communication effectively.

As a result, DePriMon is a powerful, flexible and persistent tool designed to download a payload and execute it, and to collect some basic information about the system and its user along the way.

Indicators of Compromise (IoCs)

ESET detection names


SHA-1 hashes



Domain IP address

Keys – example

Key 1: C097CF17DC3303BC8155534350464E50176ACA63842B0973831D8C6C8F136817
Key 2: 8D35913F80A23E820C23B3125ABF57901BC9A7B83283FB2B240193ABDEDE52B9
Key 3: Derived as described earlier.



MITRE ATT&CK techniques

Tactic ID Name Description
Persistence T1013 Port Monitors DePriMon installs one of its components as a port monitor for achieving persistence.
Defense Evasion T1036 Masquerading DePriMon places its components into the System32 folder with names mimicking common system DLLs.
T1107 File Deletion DePriMon can delete itself securely by overwriting its files with random data and then deleting them.
T1112 Modify Registry DePriMon adds registry entry in HKLMSYSTEMCurrentControlSetControlPrintMonitors to achieve persistence.
T1134 Access Token Manipulation DePriMon obtains a user token for obtaining information about the proxy settings on the machine.
T1140 Deobfuscate/Decode Files or Information DePriMon encrypts some of its strings and its configuration file using AES-256.
Discovery T1007 System Service Discovery DePriMon can list registered services on the system.
T1057 Process Discovery DePriMon can list running processes on the system.
T1082 System Information Discovery DePriMon collects various information about the system.
T1124 System Time Discovery DePriMon regularly checks system time and performs various actions based on it, such as uninstallation.
Command And Control T1043 Commonly Used Port DePriMon uses ports 443 and 8080 for C&C communication.
T1071 Standard Application Layer Protocol DePriMon uses HTTP for C&C communication.
T1090 Connection Proxy DePriMon uses local proxy settings to make its communication less suspicious.

ESET Research

Temp Mails ( is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.