Android Banking Trojan Antidot Disguised as Google Play Update – Source: www.darkreading.com

Source: the lightwriter via Alamy Stock Photo

A banking Trojan impacting Google Android devices, dubbed “Antidot” by the Cyble research team, has emerged, disguising itself as a Google Play update.

The malware displays fake Google Play update pages in multiple languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English, indicating potential targets in these regions. 

Antidot uses overlay attacks and keylogging techniques to efficiently harvest sensitive information such as login credentials.

Overlay attacks create fake interfaces that mimic legitimate apps, tricking users into entering their information, while keylogging captures every keystroke made by the user, ensuring that the malware collects comprehensive data, including passwords and other sensitive inputs.

Rupali Parate, Android malware researcher for Cyble, explains the Antidot malware leverages an “Accessibility” service to function.

Once installed and granted permission by the victim, it establishes communication with its command-and-control (C2) server to receive commands. The server registers the device with a bot ID for ongoing communication.

The malware sends a list of installed application package names to the server, which identifies target applications.

“Significant Control Over Infected Devices”

Upon identifying a target, the server sends an overlay injection URL (an HTML phishing page) that is displayed to the victim whenever they open the genuine application.

When victims enter their credentials on this fake page, the keylogger module transmits the data to the C2 server, allowing the malware to harvest credentials.

“What sets Antidot apart is its use of WebSocket to maintain communication with its [C2] server,” Parate says. “This enables real-time, bidirectional interaction for executing commands, giving the attackers significant control over infected devices.”

Among the commands executed by Antidot are the collection of SMS messages, initiation of unstructured supplementary service data (USSD) requests, and remote control of device features such as the camera and screen lock. 

The malware also implements VNC using MediaProjection to enable remote control of infected devices, further amplifying its threat potential.

Remote control virtual network computing (VNC) devices that are infected allow hackers to execute a complete fraud chain, Parate explains.

“They can monitor real-time activities, perform unauthorized transactions, access private information, and manipulate the device as if they were physically holding it,” she says. “This capability maximizes their potential to exploit the victim’s financial resources and personal data.”

The emergence of Android banking Trojans poses a significant threat because they can bypass traditional security measures, exploit user trust, and gain extensive access to personal and financial information, she adds.

“These Trojans can silently operate in the background, making them difficult to detect while continuously exfiltrating sensitive data, leading to severe financial and privacy breaches,” Parate says.

The Trend Toward Multifaceted Attacks 

These Trojans are growing more sophisticated through advanced obfuscation techniques, real-time C2 communication, and multilayered attack strategies such as combining overlay attacks, keylogging, and VNC for remote control, Parate says.

“The Antidot Trojan indicates that mobile malware is becoming more advanced and targeted. It shows a trend toward multifaceted attacks that exploit system features and user trust,” she explains.

The use of real-time communication and remote control capabilities signifies a shift toward more interactive and persistent threats, she adds.

“This evolution underscores the need for improved security measures and user awareness to combat increasingly sophisticated mobile malware,” Parate says. 

Banking Trojans continue to proliferate globally, including the Godfather mobile banking Trojan, first discovered in 2022 and now targeting 237 banking apps spread across 57 countries, and the GoldDigger malware, targeting Vietnamese organizations.