learn to track

Android Banking Trojan “Antidot” Masquerades as Google Play Update

TLDR: Antidot, an Android banking Trojan disguised as a Google Play update, uses overlay attacks, keylogging, and remote control capabilities to steal sensitive data. Its advanced techniques and multi-layered attack strategies highlight the need for improved mobile security measures and user awareness.

A new banking Trojan named “Antidot” by Cyble researchers is targeting Android devices. It disguises itself as a Google Play update to trick users.

Multi-Language Fake Update Pages Target Various Regions

Antidot displays phony Google Play update screens in several languages:

  • German
  • French
  • Spanish
  • Russian
  • Portuguese
  • Romanian
  • English

This suggests the malware is aimed at victims in these regions.

Overlay Attacks and Keylogging Steal Sensitive Data

The Trojan employs two main techniques to harvest user information:

  1. Overlay attacks: Creates fake interfaces mimicking legitimate apps to fool users into entering credentials.
  2. Keylogging: Records every keystroke made by the user, capturing passwords and other sensitive inputs.

Devious tactics.

Accessibility Service Abuse Enables Malware Functioning

Rupali Parate, an Android malware researcher at Cyble, explains that Antidot misuses the “Accessibility” service to operate. Once the victim installs the malware and grants permission, it contacts its command-and-control (C2) server to receive commands. The server registers the infected device with a bot ID for continued communication.

Identifying Targets and Injecting Phishing Pages

Antidot sends the C2 server a list of installed app package names, which the server uses to identify target applications. Upon finding a target, the server sends an overlay injection URL (an HTML phishing page) that is shown to the victim whenever they open the genuine app. When the victim enters their credentials on this fake page, the keylogger module sends the data to the C2 server, allowing the malware to steal the information.

WebSocket Enables Real-Time Command Execution

What makes Antidot unique is its use of WebSocket for C2 server communication. This allows real-time, two-way interaction for executing commands, giving attackers significant control over compromised devices.

Some commands Antidot can carry out include:

  • Collecting SMS messages
  • Initiating USSD requests
  • Remotely controlling device features like the camera and screen lock

VNC Capability Amplifies Threat Potential

The malware also uses MediaProjection to implement VNC, enabling remote control of infected devices. This further increases its threat potential.

Hackers can perform a complete fraud chain with remote control VNC on compromised devices, Parate explains. They can monitor real-time activities, make unauthorized transactions, access private data, and manipulate the device as if they were physically holding it. This ability maximizes their potential to exploit the victim’s financial resources and personal information.

Advanced Obfuscation Techniques and Multi-Layered Attack Strategies

Android banking Trojans are becoming more sophisticated, employing advanced obfuscation techniques, real-time C2 communication, and multi-layered attack strategies. Antidot combines overlay attacks, keylogging, and VNC for remote control, indicating a trend towards more multifaceted threats that exploit system features and user trust.

The use of real-time communication and remote control capabilities points to a shift towards more interactive and persistent dangers, Parate notes. This evolution highlights the need for better security measures and user awareness to fight increasingly sophisticated mobile malware.

Stay vigilant, folks!


Add comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.