Aimed also at Russian-speaking users, the malware uses advanced methods of disguise and lull vigilance.
Researchers at discovered a new banking Trojan that targets Android devices. Sophisticated malware has many dangerous features, including overlay attacks, keylogging, and masking techniques.
The Trojan was named "Antidot" based on a string found in its source code. Its main feature is that it disguises itself as official Google Play updates and supports several languages at once, including English, German, French, Spanish, Portuguese, Romanian and even Russian.
The malware itself is distributed as an update for Google Play and is displayed on the victim's device under the name "New Version". After installing and running it for the first time, the user sees a fake page, supposedly from Google Play, with detailed instructions on what to do to "complete the update".
Clicking on the "Continue" button redirects the victim to the Android accessibility settings, where the malicious app needs to grant a number of permissions, including, for example, full access to the image on the smartphone screen, notifications, and advanced system management software features, including taps, swipes, and gestures.
After granting the necessary permissions, the Trojan sends the first ping message to the remote server with a number of Base64-encoded data. This data includes:
In the background, the Trojan communicates with the command server via HTTP and uses the library "socket.io" for real-time two-way communication. This allows you to maintain communication between the server and client using "ping" and "pong" messages.
After the bot ID is generated by the server, Antidot sends statistics to the server and receives commands. In total, the Trojan supports 35 commands, including, for example:
"The use of string obfuscation, encryption, and page forgery updates demonstrate a targeted approach aimed at avoiding detection and maximizing coverage in various languages," the Cyble researchers noted.
To protect against this and other mobile threats, experts recommend:
These measures will help minimize the risk of infection and maintain the security of personal data on mobile devices.
Researchers at discovered a new banking Trojan that targets Android devices. Sophisticated malware has many dangerous features, including overlay attacks, keylogging, and masking techniques.
The Trojan was named "Antidot" based on a string found in its source code. Its main feature is that it disguises itself as official Google Play updates and supports several languages at once, including English, German, French, Spanish, Portuguese, Romanian and even Russian.
The malware itself is distributed as an update for Google Play and is displayed on the victim's device under the name "New Version". After installing and running it for the first time, the user sees a fake page, supposedly from Google Play, with detailed instructions on what to do to "complete the update".
Clicking on the "Continue" button redirects the victim to the Android accessibility settings, where the malicious app needs to grant a number of permissions, including, for example, full access to the image on the smartphone screen, notifications, and advanced system management software features, including taps, swipes, and gestures.
After granting the necessary permissions, the Trojan sends the first ping message to the remote server with a number of Base64-encoded data. This data includes:
- name of the malicious app;
- version of the Software Development Kit (SDK);
- smartphone manufacturer and model;
- language and country code;
- list of installed apps on the device.
In the background, the Trojan communicates with the command server via HTTP and uses the library "socket.io" for real-time two-way communication. This allows you to maintain communication between the server and client using "ping" and "pong" messages.
After the bot ID is generated by the server, Antidot sends statistics to the server and receives commands. In total, the Trojan supports 35 commands, including, for example:
- virtual Network Computing (VNC);
- keylogging;
- overlay attacks;
- screen recording;
- call forwarding;
- collecting contacts and SMS messages;
- executing USSD requests;
- lock and unlock your device.
"The use of string obfuscation, encryption, and page forgery updates demonstrate a targeted approach aimed at avoiding detection and maximizing coverage in various languages," the Cyble researchers noted.
To protect against this and other mobile threats, experts recommend:
- install software only from official app stores, such as Google Play for Android and the App Store for iOS;
- use reliable antivirus programs and internet security tools;
- use strong passwords in conjunction with multi-factor authentication (MFA);
- be careful when opening links received via SMS or email;
- always enable Google Play Protect on Android devices;
- pay close attention to the permissions granted to apps;
- install legitimate software updates on your devices in a timely manner.
These measures will help minimize the risk of infection and maintain the security of personal data on mobile devices.
