Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

New ‘Antidot’ Android Trojan Allows Cybercriminals to Hack Devices, Steal Data

The Antidot Android banking trojan snoops on users and steals their credentials, contacts, and SMS messages.

Threat intelligence company Cyble is raising the alarm on a newly identified Android banking trojan that can steal users’ credentials and conversations, as well as snoop on them.

Dubbed Antidot and spotted in early May, the malware masquerades as a Google Play update and employs overlay attacks to harvest victims’ credentials.

The malware packs a broad range of capabilities, including VNC (Virtual Network Computing), a screen sharing system that provides attackers with remote control over the infected device.

Furthermore, it can log keystrokes and record the screen, forward calls, collect contacts and SMS messages, lock and unlock the device, and perform USSD requests.

After infecting a device, Antidot displays a fake Google Play update page tailored to the device’s language (including English, French, German, Portuguese, Romanian, Russian, and Spanish) that redirects the victim to the Accessibility settings, to trick them into providing the malware with elevated permissions.

In the background, the trojan initiates communication with the attacker-controlled server to receive commands that allow it to perform overlay attacks, unlock the device, put the device in sleep mode, open and uninstall applications, make calls, send SMS messages, collect information, initiate VNC, push notifications, and use the camera to take photos.

“The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the command-and-control (C&C) server,” Cyble explains.

Antidot can also initiate VNC to transmit the screen content to the attackers, who can then perform various actions on the infected device’s screen, such as swipe gestures, opening notifications, opening dialogues, and interacting with the content from clipboard.

Advertisement. Scroll to continue reading.

The trojan also includes an overlay attack module that uses WebView to display HTML phishing pages masquerading as legitimate banking or cryptocurrency applications.

To launch overlay attacks, the malware sends a list of application package names to the C&C server, which responds with overlays tailored for the identified targeted applications. When the user attempts to open a target application, Antidot creates an overlay window and captures the victim’s credentials.

“The newly surfaced Antidot banking trojan stands out for its multifaceted capabilities and stealthy operations. Its utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions,” Cyble notes.

Related: Wpeeper Android Trojan Uses Compromised WordPress Sites to Shield Command-and-Control Server

Related: Powerful ‘Brokewell’ Android Trojan Allows Attackers to Takeover Devices

Related: ‘Vultur’ Android Malware Gets Extensive Device Interaction Capabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

Merlin Ventures has appointed cybersecurity executive Andrew Smeaton as the firm’s CISO-in-Residence.

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

More People On The Move

Expert Insights