Antidot (Banking Trojan) – Malware

Overview

Antidot is a newly discovered Android Banking Trojan, identified by the presence of the string “Antidot” within its source code, used for logging across different classes. It masquerades as a Google Play update and employs overlay attacks to harvest victims’ credentials. Overlay attacks create fake interfaces that mimic legitimate apps, tricking users into entering their information, while keylogging captures every keystroke made by the user, ensuring that the malware collects comprehensive data, including passwords and other sensitive inputs. This malware employs a custom encryption code for string obfuscation and uses gibberish class names, making analysis more challenging. Antidot incorporates several features, including:

• VNC
• Keylogging
• Overlay attack
• Screen recording
• Call forwarding
• Collecting contacts and SMSs
• Performing USSD requests
• Locking and unlocking the device

Targets

Android users across various regions. After infecting a device, Antidot displays a fake Google Play update page tailored to the device’s language (including English, French, German, Portuguese, Romanian, Russian, and Spanish)

How they operate

Like other malware campaigns, this one uses phishing messages to trick users into installing it. Unsuspecting users may receive an email—or more likely a text message—that appears to come from Google, instructing them to update Google Play. The message contains a malicious link leading to the malware, which needs to be sideloaded as an APK file. What’s particularly interesting about this campaign is that the fake Google Play update pages are crafted in several languages, including English, German, French, Spanish, Russian, Portuguese, and Romanian. This enables the hackers behind the Antidot banking trojan to target a wide range of Android users from multiple countries simultaneously without tweaking the campaign for each country. Once installed, the malware displays another fake update page to trick victims into granting access to Android’s Accessibility Settings. Access to these services allows Antidot to gain complete control over a vulnerable Android smartphone, as they can be used to see what’s on the victim’s screen and interact with their apps and data. After this, the malware establishes communication with its command-and-control (C2) server to receive commands. The server registers the device with a bot ID for ongoing communication. The malware sends a list of installed application package names to the server, which identifies target applications. Upon identifying a target, the server sends an overlay injection URL (an HTML phishing page) displayed to the victim whenever they open the genuine application. When victims enter their credentials on this fake page, the keylogger module transmits the data to the C2 server, allowing the malware to harvest credentials. Among the commands executed by Antidot are the collection of SMS messages, initiation of unstructured supplementary service data (USSD) requests, and remote control of device features such as the camera and screen lock. The malware also implements VNC using MediaProjection to enable remote control of infected devices, further amplifying its threat potential. Remote control virtual network computing (VNC) allows hackers to execute a complete fraud chain.  

MITRE tactics and techniques

Defense Evasion

Masquerading: Match Legitimate Name or Location (T1655.001) Application Discovery (T1418) Virtualization/Sandbox Evasion (T1633) Indicator Removal on Host: Uninstall Malicious Application (T1630.001) Input Injection (T1516)

Discovery

Software Discovery (T1418) System Information Discovery (T1426)

Collection

Input Capture: Keylogging (T1417.001) Screen Capture (T1513) Capture Camera (T1512) Audio Capture (T1429) Call Control (T1616) Protected User Data: Call Log (T1636.002) Protected User Data: SMS Messages (T1636.004)

Exfiltration

Exfiltration Over C2 Channel (T1646)

References:

• New Antidot Android Banking Trojan Masquerading as Fake Google Play Updates