ESET experts discovered in the official store Google Play bank trojan. Malvar was located in the "Education" section and was called DEFENSOR ID.
The banker’s description stated that his task was to increase user security by using end-to-end encryption. Of course, in fact, the application did not increase security. So, for work, DEFENSOR ID requested several critical permissions, including changing system settings, as well as access to the Accessibility Service (Accessibility Service).
Researchers note that the application got into the official Google Play store due to its exceptional stealth. Its operators reduced malicious activity to a minimum by removing all potentially suspicious features, except for one: abuse of the Accessibility Service. Due to this, the application lasted on Google Play for several months: DEFENSOR ID was added to the catalog on February 3, 2020 and in early May 2020 was updated to version 1.4.
Accessibility service is the famous “Achilles heel” of Android. Although the main objective of the Accessibility Service is to facilitate the use of applications for people with disabilities, attackers have been using the service’s capabilities for many years to interact with the system’s interface and applications.
Having received the necessary privileges, the application was able to read any text displayed in any other application and send it to attackers, for example, SMS messages, credentials for logging into accounts, two-factor authentication codes, and so on. Thus, the malware was able to access the accounts of online banks, social networks and the victim's email.
The name of the Malvari developer, GAS Brazil, suggests that the criminals were targeting Brazilian users (although there is not only the Portuguese, but also the English version of the application). Apparently, the name also hinted at a well-known antifraud solution called GAS Tecnologia. This software is usually installed on computers in Brazil, and several banks in the country require access to online banking through GAS Tecnologia.
Together with DEFENSOR ID, the experts found another malicious application called Defensor Digital: both malware used the same management server. Both programs are currently uninstalled from Google Play.