Beware! Android Banking Trojan Mimics as Google Play updates

Researchers discovered a new Android banking trojan named Antidot that disguises itself as a Google Play update and utilizes overlay attacks and keylogging to steal sensitive information from compromised devices. 

Antidot communicates with its command and control server through WebSocket to receive instructions in real-time. 

These instructions can involve stealing SMS messages, making unauthorized calls, and even remotely controlling the device’s camera and screen lock. To achieve remote control, Antidot implements VNC using MediaProjection. 

Mentions of “Antidot” strings in malware source code 

A new Android banking trojan named Antidot was discovered on May 6, 2024, which uses overlay attacks to steal credentials and has various functionalities, including VNC, keylogging, screen recording, and remote control of device features. 

 Fake update pages crafted in different languages

The Antidot Android Trojan establishes communication with its control center using a combination of HTTP and WebSocket protocols, and utilizes the Socket.io library to enable real-time, two-way data exchange. 

The malware initiates contact by sending “ping” messages with Base64 encoded data to the server, which responds with “pong” messages containing commands in plain text, which the Trojan then executes.

This continuous exchange of “ping” and “pong” messages maintains the connection and allows the attacker to remotely control the infected device. 

First ping message to the server 

The malware initiates contact with the C&C server upon gaining accessibility service privileges, which sends an initial message encoded in Base64 containing the malware’s name, version, device information (model, manufacturer, locale), and a list of installed apps. 

The server responds with a unique bot ID for the infected device, and during communication, the malware retrieves three additional C&C server URLs, establishing redundancy in case the primary server becomes unavailable. 

Pong message with bot ID 

The Antidot Banking Trojan communicates with its C&C server to receive commands and send back information, which can capture the infected device’s screen and perform actions on it remotely via VNC. 

It also steals user credentials through overlay attacks, and when launched, the malware sends a list of installed apps to the C&C server. The server then identifies target apps and sends instructions to Antidot to inject phishing webpages into these apps when they are opened. 

Getting injections from the server 

According to Cyble, the Antidot Android Banking Trojan utilizes keylogging in conjunction with its overlay attack to steal credentials. When the victim types, the malware transmits the keystrokes encoded in Base64 using a “getKeys” command along with a timestamp and application name. 

After gaining access to accessibility services, the malware sends device data and installs app package names.

If the target is incorrect, the server transmits an “SOS” command, prompting the malware to display a dialog box instructing the victim to uninstall the app and terminating further communication. 

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here