A sophisticated phishing campaign, disguised as legitimate job offers, is distributing a new variant of the Antidot banking Trojan, named AppLite Banker.
It is delivered through a malicious dropper app, targets Android devices, and enables extensive malicious activities, including credential theft for banking, cryptocurrency, and other critical applications.
The attackers can potentially gain unauthorized access to sensitive corporate data and applications, posing a significant threat to both individual users and organizations.
Recent phishing campaigns have employed sophisticated social engineering tactics, leveraging the impersonation of recruiters and HR representatives from well-known organizations.
Malicious emails lure victims into downloading a seemingly legitimate CRM Android application, which acts as a dropper for the primary payload.
The attacks target various verticals, including corporations and educational institutions, where the attackers utilize a network of malicious domains, likely propagated through social engineering, to distribute the malicious APKs.
A threat actor, posing as HR representatives from reputable companies, sends phishing emails with fraudulent job offers, which lure victims to malicious landing pages where they are tricked into downloading a malicious dropper application.
This dropper, once installed, secretly delivers the AppLite banking trojan onto the victim’s device, allowing the attacker to steal sensitive financial information and potentially execute other malicious actions.
A new malware technique involving ZIP files and Android Manifest manipulation, where malicious actors are altering ZIP file flags to falsely indicate encryption, hindering analysis tools like JADX.
Once installed, the malware masquerades as a legitimate app, tricking users into installing a harmful update disguised as a Google Play Store app. This update, the Antidot banking trojan, leverages Accessibility Services permissions to gain control over the device and execute malicious actions.
The malware utilizes WebSockets for real-time, two-way communication with its C&C server. Beyond standard commands to steal data and control the device, new variants boast functionalities like bypassing lock screens and capturing credentials through a fake lock screen overlay.
Attackers can now steal SMS messages, make calls, and even initiate VNC sessions for complete remote control over the compromised device by leveraging deceptive overlays and injecting malicious Javascript to steal user credentials.
It can target 172 apps, including banking apps and social media, while it can also capture the device screen, interact with the lock screen and unlock the device using the Accessibility Service.
The Zimperium report describes a new variant of banker malware that targets users proficient in English, Spanish, French, German, Italian, Portuguese, and Russian by targeting banking, cryptocurrency, and finance apps installed on the victims’ devices.
It steals a variety of data, including login credentials, SMS messages, call logs, and contact lists, achieves persistence by registering a broadcast receiver to receive SMS events, and can uninstall itself to evade detection.
%20(1).webp?w=1200&resize=1200,0&ssl=1 "Android Spyware Catwatchful Leaks Over 62,000 Customer Credentials")
