A banking Trojan named “Antidot” was discovered by the Cyble research team, affecting Google Android devices and disguised as a Google Play update. The malware displays fake Google Play update pages in multiple languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English, indicating its wide-ranging target area.
Antidot uses overlay attacks and keylogging techniques to collect sensitive information, such as login credentials. Overlay attacks create fake interfaces that mimic legitimate applications to trick users into entering information, while keylogging techniques capture every keystroke of the user, thereby obtaining comprehensive data, including passwords and other sensitive inputs.
Rupali Parate, Android malware researcher at Cyble, explained that the Antidot malware exploits the “accessibility” service. Once installed and granted permissions by the victim, the malware establishes communication with its command and control (C2) server to receive commands. The server registers the device by robot ID for ongoing communication. The malware sends a list of installed application package names to the server to identify the target application.
After identifying the target app, the server sends an overlay injection URL (HTML phishing page) that is displayed whenever the victim opens the genuine app. When the victim enters the credentials on the fake page, the keylogger module transmits the data to the C2 server, allowing the malware to obtain the credentials.
Parate pointed out that Antidot is unique in that it uses WebSocket to maintain communication with the C2 server, enabling real-time two-way interaction, giving the attacker significant control over the infected device. The commands executed by Antidot include collecting SMS messages, initiating Unstructured Supplementary Service Data (USSD) requests, and remotely controlling device functions such as the camera and screen lock. The malware also uses MediaProjection to implement VNC (Virtual Network Computing) remote control, further enhancing its threat potential.
The remote control capabilities of the infected device allow hackers to execute a complete fraud chain, where they can monitor real-time activities, perform unauthorized transactions, access private information, and manipulate the device as if they actually held the device. This capability maximizes their potential to exploit the victim’s financial resources and personal data.
Parate emphasized that the emergence of Android banking Trojans poses a significant threat because they can bypass traditional security measures, exploit user trust, and gain extensive access to personal and financial information. These Trojans can run silently in the background, making them difficult to detect, while constantly exfiltrating sensitive data, leading to serious financial and privacy breaches.
She also noted that banking Trojans have become more sophisticated through advanced obfuscation techniques, real-time C2 communications, and multi-layered attack strategies, such as combining overlay attacks, keylogging, and VNC for remote control. Antidot Trojan shows the trend of increasingly complex and targeted mobile malware, highlighting the need for improved security measures and user awareness to combat increasingly sophisticated mobile malware.
Banking Trojans continue to proliferate globally, such as the Godfather mobile banking Trojan, first discovered in 2022, which now targets 237 banking apps in 57 countries, and the GoldDigger malware that targets Vietnamese organizations.
