Cyble has raised concerns about Antidot, an Android banking trojan discovered in early May. Disguised as a Google Play update, Antidot employs overlay attacks to steal users’ credentials and monitor their activities. It boasts a wide range of capabilities, including VNC for remote control, keystroke logging, and screen recording.
Upon infecting a device, Antidot presents a fake Google Play update page tailored to the device’s language, redirecting victims to Accessibility settings to gain elevated permissions. In the background, it communicates with an attacker-controlled server to receive commands for overlay attacks, unlocking the device, and other malicious activities. This trojan utilizes the MediaProjection feature to capture and transmit the device’s display content to the command-and-control server.
Antidot’s overlay attack module displays HTML phishing pages, mimicking legitimate banking or cryptocurrency applications, to steal user credentials. It dynamically adapts to target applications, creating overlay windows to capture sensitive information when users attempt to access them. Cyble underscores the sophistication of Antidot’s tactics, employing encryption and fake update pages to evade detection and maximize its impact across diverse language-speaking regions.