A new and sophisticated banking malware known as “Antidot” has been discovered targeting Android users by masquerading as a Google Play update. This alarming threat, identified by Cyble Research and Intelligence Labs (CRIL), poses significant risks to user privacy and financial security.
The Emergence of Antidot
First detected in early May 2024, Antidot has been spreading rapidly by disguising itself as a legitimate Google Play update. The malware displays fake update pages in multiple languages, including English, German, French, Spanish, Portuguese, Russian, and Romanian, indicating its wide-ranging target scope.
How Antidot Operates
Upon installation, Antidot prompts users to grant Accessibility service permissions, a common tactic among Android banking Trojans. This permission allows the malware to execute a variety of malicious activities, such as:
- Overlay Attacks: Antidot uses overlay techniques to create fake windows that mimic legitimate banking and cryptocurrency apps. When users enter their credentials into these overlays, the information is captured and sent to the attackers.
- Keylogging and Screen Recording: The malware records keystrokes and captures screen content, which is then transmitted to the command-and-control (C&C) server controlled by the attackers.
- Remote Control via VNC: Utilizing the MediaProjection feature, Antidot enables remote control of infected devices, allowing attackers to perform actions like swiping, tapping, and accessing applications.
- Data Collection: Antidot can collect contacts, SMS messages, and perform USSD requests. It can also forward calls and manipulate device settings such as locking and unlocking the screen.
Technical Capabilities
Antidot’s sophisticated features make it a formidable threat. It communicates with its C&C server via WebSocket, enabling real-time, bidirectional interaction for executing commands. These commands include collecting SMS messages, initiating USSD requests, remotely controlling device features, and more. The malware’s ability to perform such a wide range of tasks underscores its potential for extensive data theft and device manipulation.
Mitigation Strategies
To protect against this and similar threats, Android users should follow these security best practices:
- Install Apps from Trusted Sources: Only download and install applications from official stores like Google Play.
- Use Reputable Security Software: Employ antivirus and internet security solutions to detect and mitigate malware.
- Enable Google Play Protect: This feature helps identify and remove malicious apps from your device.
- Review App Permissions: Carefully examine the permissions requested by apps before granting access.
- Stay Vigilant: Be cautious of links received via SMS or email, and avoid clicking on suspicious links.
The Antidot Android banking Trojan highlights the evolving threat landscape faced by Android users. Its advanced capabilities and stealthy operations make it a significant danger to user security. By staying informed and following recommended security practices, users can better protect themselves from falling victim to such malicious threats.
