Threat intelligence company Cyble is raising the alarm on a newly identified Android banking trojan that can steal users’ credentials and conversations, as well as snoop on them.
Dubbed Antidot and spotted in early May, the malware masquerades as a Google Play update and employs overlay attacks to harvest victims’ credentials.
The malware packs a broad range of capabilities, including VNC (Virtual Network Computing), a screen sharing system that provides attackers with remote control over the infected device.
Furthermore, it can log keystrokes and record the screen, forward calls, collect contacts and SMS messages, lock and unlock the device, and perform USSD requests.
After infecting a device, Antidot displays a fake Google Play update page tailored to the device’s language (including English, French, German, Portuguese, Romanian, Russian, and Spanish) that redirects the victim to the Accessibility settings, to trick them into providing the malware with elevated permissions.
In the background, the trojan initiates communication with the attacker-controlled server to receive commands that allow it to perform overlay attacks, unlock the device, put the device in sleep mode, open and uninstall applications, make calls, send SMS messages, collect information, initiate VNC, push notifications, and use the camera to take photos.
“The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the command-and-control (C&C) server,” Cyble explains.
Antidot can also initiate VNC to transmit the screen content to the attackers, who can then perform various actions on the infected device’s screen, such as swipe gestures, opening notifications, opening dialogues, and interacting with the content from clipboard.
The trojan also includes an overlay attack module that uses WebView to display HTML phishing pages masquerading as legitimate banking or cryptocurrency applications.
To launch overlay attacks, the malware sends a list of application package names to the C&C server, which responds with overlays tailored for the identified targeted applications. When the user attempts to open a target application, Antidot creates an overlay window and captures the victim’s credentials.
“The newly surfaced Antidot banking trojan stands out for its multifaceted capabilities and stealthy operations. Its utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions,” Cyble notes.
Related: Wpeeper Android Trojan Uses Compromised WordPress Sites to Shield Command-and-Control Server
Related: Powerful ‘Brokewell’ Android Trojan Allows Attackers to Takeover Devices
Related: ‘Vultur’ Android Malware Gets Extensive Device Interaction Capabilities
