Beware! Android Banking Trojan Mimics As Google Play Updates

A new Android banking Trojan, Antidot, emerged in May 2024, which steals credentials through overlay attacks and has various functionalities for complete device control.

Antidot uses VNC, keylogging, screen recording, and call forwarding to capture sensitive information. 

It can also collect contacts and SMS messages, initiate USSD requests, and lock/unlock the device. The malware utilizes custom encryption and obfuscation techniques to hinder analysis.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Mentions of “Antidot” strings in malware source code 

The Antidot Android Banking Trojan is disguised as a Google Play update app and delivers a fake Google Play update page during installation, which has been seen in multiple languages, suggesting the malware targets users in German, French, Spanish, Russian, Portuguese, Romanian, and English speaking regions.

Fake update pages crafted in different languages

The Android malware Antidot utilizes social engineering to trick users into granting accessibility permissions, and upon installation, a deceptive update page with a “Continue” button is displayed. 

Clicking this button redirects the user to the Accessibility Settings menu, and by gaining Accessibility privileges, Antidot, similar to other Android banking Trojans, can perform malicious actions without the user’s knowledge or awareness, which enables the malware to steal sensitive information and potentially take control of the device. 

Antidot prompting user to grant Accessibility permission 

The Antidot banking trojan utilizes a combination of HTTP and WebSocket protocols to establish real-time, two-way communication with its Command and Control (C&C) server and initiates contact through an HTTP request but leverages WebSocket’s “socket.io” library for continuous data exchange. 

First ping message to the server 

The malware communicates using “ping” and “pong” messages. Client-side “ping” messages transmit Base64 encoded data, while server replies (“pong”) contain commands in plain text for the malware to execute, allowing the C&C server to discreetly issue instructions to the infected device. 

It initiates contact with the attacker’s C&C server by sending a “ping” message containing encoded device information like app name, version, device model, manufacturer, and installed apps. 

Pong message with bot ID 

Upon successful communication, the server responds with a “pong” message assigning a unique bot ID to the infected device, while the malware retrieves additional backup C&C server addresses during this exchange, ensuring continued communication even if the primary server goes offline. 

According to Cyble, the Antidot Banking Trojan establishes a two-way communication channel with its server upon receiving a unique bot ID, as the malware transmits bot statistics and fetches commands from the server. 

Commands received from the server 

The commands, totaling 35, grant the attacker extensive control over the victim’s device, including stealing information (SMS, contacts, keystrokes), manipulating the interface (overlay windows, brightness), and even controlling the device itself (taking pictures, making calls, initiating sleep mode).  

SOS activity

The Antidot Android Banking Trojan utilizes overlay attacks and keylogging to steal user credentials.

It overlays fake phishing pages resembling legitimate apps (like banking apps) on top of real ones, tricking users into entering their credentials into the malware. 

Additionally, it logs every keystroke the victim types, as it communicates with a command-and-control server, sending stolen data and receiving instructions, and if the server detects the device isn’t the intended target, it instructs the malware to prompt the user to uninstall itself via an “SOS” command.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.