Google Play Update Disguises Android Banking Trojan as Antidot

Google Play Update Disguises Android Banking Trojan as Antidot

A new banking trojan targeting Google Android devices, known as “Antidot,” has been identified by the Cyble research team. This malware poses as a fake Google Play update, displaying pages in various languages to target users in different regions. Antidot utilizes overlay attacks and keylogging techniques to gather sensitive information like login credentials effectively.

Rupali Parate, an Android malware researcher at Cyble, explains that Antidot leverages an “accessibility” service to operate. Once installed, the malware establishes communication with its command and control server to receive instructions. The server assigns a unique bot ID to the infected device for continuous communication. Antidot sends a list of installed application package names to the server, which then identifies target applications.

One distinctive feature of Antidot is its use of WebSocket for real-time communication with the C2 server. This enables two-way interaction to execute commands, giving attackers significant control over infected devices. The malware can carry out various commands, such as collecting SMS messages, initiating USSD requests, and remotely controlling device functions like the camera and screen lock. Additionally, Antidot implements VNC using MediaProjection for remote device control.

The emergence of Android banking Trojans poses a significant threat as they can evade traditional security measures and access personal and financial information. These Trojans can operate discreetly in the background, making them challenging to detect while continuously extracting sensitive data, leading to potentially serious financial and privacy breaches.

The trend in mobile malware is shifting towards more sophisticated and multifaceted attacks that exploit system features and user trust. Antidot highlights this evolution, showcasing advanced obfuscation techniques, real-time C2 communication, and a combination of overlay attacks, keylogging, and VNC for remote control. This trend underscores the need to enhance security measures and raise user awareness to combat increasingly sophisticated mobile threats.

Banking Trojans like Padrino and GoldDigger are spreading globally, targeting various banking apps across numerous countries. As these threats continue to evolve and proliferate, it is crucial for users and organizations to stay vigilant and implement robust security measures to protect against mobile malware attacks.

Article Source
https://www.darkreading.com/endpoint-security/android-banking-trojan-antidot-disguised-as-google-play-update