Security researchers have uncovered the growing threat posed by the “AntiDot” Android botnet malware, a new multi-stage Malware-as-a-Service (MaaS) that grants cybercriminals comprehensive, real-time remote control over compromised devices.
Traded across underground forums and operated by the threat actor known as LARVA-398, AntiDot has rapidly gained traction due to its bundled loader, packer, and botnet infrastructure, all designed to make infection, persistence, and remote exploitation simple and effective.
Infection Process
AntiDot is engineered using Java and leverages significant code obfuscation in conjunction with commercial packers to evade mobile antivirus tools and resist both static and dynamic analysis.
On initial activation, samples masquerade as benign app updates frequently named “Update.apk” and immediately prompt users to grant accessibility permissions under the guise of a system update.
Once access is obtained, AntiDot extracts and dynamically loads malicious DEX files, effectively activating its full suite of botnet capabilities.
The attenuation of original APK class names in AndroidManifest.xml further complicates detection and reverse engineering, as core components are only decrypted and executed at runtime.
The botnet’s command-and-control (C2) infrastructure is robust and dynamic, utilizing the websocket protocol for high-frequency, real-time bidirectional communication.
According to the Report, Researchers have tracked at least 11 active C2 servers coordinating over 3,775 infected devices in more than 270 distinct campaigns.
These C2 servers operate outside the radar of most commercial security solutions, with associated domains (“gates”) eluding standard threat intelligence blacklists.
The C2 panel built on MeteorJS features extensive live monitoring, granular device control, and campaign segmentation capabilities.
Once resident, AntiDot can execute a diverse set of commands on the victim device, including but not limited to: screen recording, real-time keylogging, SMS interception and manipulation, exfiltration of app logs, contacts, and notification data, and even complete device lockout.
These operations are conducted stealthily, leveraging accessibility service abuse to simulate user actions, bypass security dialogs, and suppress notifications that might alert users to unauthorized activity.
Advanced Attack Techniques
A distinguishing feature of AntiDot is its sophisticated overlay and WebView injection system.
It dynamically retrieves target application lists frequently focused on financial, payment, or cryptocurrency apps from its C2 server.
When a targeted app is launched, the malware injects custom-crafted phishing overlays, cloned from the legitimate app’s interface, to solicit sensitive credentials.
This includes a predefined mechanism for harvesting Google account details, exploiting the popularity of single sign-on functions.
Furthermore, AntiDot aggressively seeks default SMS and call screening roles, automating permissions acquisition through accessibility features.
This enables hijacking of SMS-based two-factor authentication flows and surreptitious control over call activity, including interception or redirection.
The threat actors behind AntiDot demonstrate regional and linguistic targeting, distributing payloads primarily through malicious ad networks and, in some campaigns, through highly localized and tailored phishing lures.
The operator-facing dashboard offers full visibility and remote management of each infected device.
It presents real-time reconstructed device screens, access to logs (SMS, keystrokes, notifications, app data), and the ability to send bespoke commands for lateral movement or deeper exploitation.
Overlay templates, phishing injects, and operational parameters can be customized dynamically per campaign, with analytic panels providing insights into successful infection vectors and popular targeted applications.
AntiDot exemplifies the ongoing evolution of Android malware toward modular, highly configurable MaaS ecosystems.
Its technical complexity spanning advanced evasion, remote control, and phishing automation makes it a formidable risk to both enterprise and individual users, particularly in regions prone to targeted campaigns.
Security professionals are urged to monitor indicators related to AntiDot’s unique infrastructure, update defenses against accessibility and overlay abuse, and educate users about the risks posed by unsolicited app updates and permission requests.
As the malware’s infrastructure remains largely unflagged in public databases, heightened vigilance is paramount to detect and disrupt its expanding footprint.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
