Android Banking Trojan Antidot Disguised as Google Play Update

Editor's Note: This article was updated on 5/22/2024 with comments from Google.

A banking Trojan impacting Google Android devices, dubbed "Antidot" by the Cyble research team, has emerged, disguising itself as a Google Play update.

The malware displays fake Google Play update pages in multiple languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English, indicating potential targets in these regions. 

Antidot uses overlay attacks and keylogging techniques to efficiently harvest sensitive information such as login credentials.

Overlay attacks create fake interfaces that mimic legitimate apps, tricking users into entering their information, while keylogging captures every keystroke made by the user, ensuring that the malware collects comprehensive data, including passwords and other sensitive inputs.

Rupali Parate, Android malware researcher for Cyble, explains the Antidot malware leverages an "Accessibility" service to function.

Once installed and granted permission by the victim, it establishes communication with its command-and-control (C2) server to receive commands. The server registers the device with a bot ID for ongoing communication.

The malware sends a list of installed application package names to the server, which identifies target applications.

"Significant Control Over Infected Devices"

Upon identifying a target, the server sends an overlay injection URL (an HTML phishing page) that is displayed to the victim whenever they open the genuine application.

When victims enter their credentials on this fake page, the keylogger module transmits the data to the C2 server, allowing the malware to harvest credentials.

"What sets Antidot apart is its use of WebSocket to maintain communication with its [C2] server," Parate says. "This enables real-time, bidirectional interaction for executing commands, giving the attackers significant control over infected devices."

Among the commands executed by Antidot are the collection of SMS messages, initiation of unstructured supplementary service data (USSD) requests, and remote control of device features such as the camera and screen lock. 

The malware also implements VNC using MediaProjection to enable remote control of infected devices, further amplifying its threat potential.

Remote control virtual network computing (VNC) devices that are infected allow hackers to execute a complete fraud chain, Parate explains.

"They can monitor real-time activities, perform unauthorized transactions, access private information, and manipulate the device as if they were physically holding it," she says. "This capability maximizes their potential to exploit the victim's financial resources and personal data."

A Google spokesperson noted that Google Play Protect can thwart this malware. "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."

The Trend Toward Multifaceted Attacks 

Parate points to how these Trojans can be difficult to detect. "These Trojans can silently operate in the background, making them difficult to detect while continuously exfiltrating sensitive data, leading to severe financial and privacy breaches," Parate says.

These Trojans are growing more sophisticated through advanced obfuscation techniques, real-time C2 communication, and multilayered attack strategies such as combining overlay attacks, keylogging, and VNC for remote control, Parate says.

"The Antidot Trojan indicates that mobile malware is becoming more advanced and targeted. It shows a trend toward multifaceted attacks that exploit system features and user trust," she explains.

The use of real-time communication and remote control capabilities signifies a shift toward more interactive and persistent threats, she adds.

"This evolution underscores the need for improved security measures and user awareness to combat increasingly sophisticated mobile malware," Parate says. 

Banking Trojans continue to proliferate globally, including the Godfather mobile banking Trojan, first discovered in 2022 and now targeting 237 banking apps spread across 57 countries, and the GoldDigger malware, targeting Vietnamese organizations.