S0403: Riltok
Analyst context for executives and security teams
Riltok is an Android banking malware entry in ATT&CK. The business issue is not just “malware on a phone”; it is mobile credential exposure through convincing phishing popups, paired with device and app discovery, web-based communications, possible accessibility abuse, and access to sensitive mobile data such as contacts and SMS messages. For leaders, this matters where mobile devices are used for banking, workforce identity, MFA workflows, customer support, executive communications, or regulated data access.
Executive priority
Prioritize this as a mobile identity and fraud-readiness scenario. Executives should ask whether Android devices that access business systems are governed by mobile security policy, whether credential-entry abuse on mobile is in incident response playbooks, and whether SOC teams can see risky app behavior rather than only traditional endpoint alerts. It is also relevant to compliance evidence: organizations should be able to show how they manage mobile app risk, sensitive permission use, and response to suspected credential theft on enrolled devices.
Technical view
ATT&CK provides no official detection text for Riltok, so validation should be behavior-led using the relationships: GUI Input Capture, Software Discovery, System Network Configuration Discovery, System Information Discovery, Web Protocols, Input Injection, Contact List access, and SMS Messages access on Android. SOC and IR teams should confirm whether their mobile telemetry can identify suspicious overlays or phishing-style prompts, unusual accessibility API use consistent with input injection, enumeration of installed applications, collection of device or network details, access to contacts or SMS content, and outbound HTTP/HTTPS communications from suspicious apps. Because tactics are not specified in the supplied object, detections should be mapped locally to the organization’s mobile threat model rather than over-interpreting ATT&CK tactic coverage.
Likely telemetry
- Android mobile threat defense or EDR alerts for suspicious app behavior
- MDM/UEM inventory showing installed applications and app provenance
- Android app permission grants, especially SMS, contacts, and accessibility-related permissions
- Accessibility service enablement and abnormal UI interaction events where available
- Network telemetry for mobile app HTTP/HTTPS communications
Detection direction
- Validate visibility into Android overlay or GUI prompt abuse; this is a common blind spot because phishing prompts may look like normal mobile UI to users.
- Tune for combinations of behaviors rather than single permissions: installed-app discovery plus SMS/contact access plus web communications is more meaningful than any one signal alone.
- Review accessibility API monitoring because the related Input Injection technique depends on abuse of Android accessibility capabilities.
- Confirm whether mobile network traffic can be tied back to the responsible app; generic HTTPS volume alone is unlikely to be actionable.
- Account for false positives from legitimate apps that request contacts, SMS, device information, or network details; detections need context such as app reputation, source, timing, and user role.
Mitigation priorities
- Enforce mobile device management for Android devices that access business resources, including inventory, policy compliance, and removal capability.
- Restrict installation from untrusted sources where policy allows, and review mobile app trust before granting business access.
- Limit high-risk permissions and monitor grants for SMS, contacts, and accessibility services on managed devices.
- Require strong identity protections for business systems so stolen mobile credentials alone do not provide sufficient access.
- Educate users to report unexpected credential popups, especially when they appear outside the expected application flow.
Analyst notes and limits
The supplied ATT&CK object identifies Riltok as Android banking malware using phishing popups to collect credentials and provides relationships to several mobile techniques. The strongest defensive value is to use those relationships as a checklist for mobile visibility: UI deception, accessibility abuse, app discovery, device/network discovery, web communications, and access to contacts or SMS. This should be treated as a behavior-based readiness exercise, not as proof of exposure in any specific environment.
MITRE provides no official detection guidance in the supplied fields, no tactics are specified, and the object does not include active exploitation status, attribution, prevalence, indicators, or detailed procedures. Local conclusions require environment-specific mobile telemetry, device enrollment status, app inventory, and incident evidence.
Riltok
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1422 | System Network Configuration Discovery | Riltok can query the device's IMEI.CitationKaspersky Riltok June 2019 |
| Mobile | T1437.001 | Web Protocols Sub-technique | Riltok communicates with the command and control server using HTTP requests.CitationKaspersky Riltok June 2019 |
| Mobile | T1636.003 | Contact List Sub-technique | Riltok can access and upload the device's contact list to the command and control server.CitationKaspersky Riltok June 2019 |
| Mobile | T1418 | Software Discovery | Riltok can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.CitationKaspersky Riltok June 2019 |
| Mobile | T1426 | System Information Discovery | Riltok can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.CitationKaspersky Riltok June 2019 |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | Riltok can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.CitationKaspersky Riltok June 2019 |
| Mobile | T1636.004 | SMS Messages Sub-technique | Riltok can intercept incoming SMS messages.CitationKaspersky Riltok June 2019 |
| Mobile | T1516 | Input Injection | Riltok injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.CitationKaspersky Riltok June 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | bb4f47152661… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Riltok June 2019
Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.
Open source URL -
[2]
mitre-attack S0403Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.