Beware! Android Banking Trojan Mimics As Google Play Updates

by Esmeralda McKenzie
Beware! Android Banking Trojan Mimics As Google Play Updates

Beware! Android Banking Trojan Mimics As Google Play Updates

Beware! Android Banking Trojan Mimics As Google Play Updates

A new Android banking Trojan, Antidot, emerged in Would possibly perhaps well honest 2024, which steals credentials by plot of overlay assaults and has diverse functionalities for full instrument serve a watch on.

Antidot uses VNC, keylogging, show camouflage recording, and make contact with forwarding to capture gentle data.

It’ll also accumulate contacts and SMS messages, provoke USSD requests, and lock/release the instrument. The malware utilizes customized encryption and obfuscation systems to hinder evaluation.

Capture%20(14)
Mentions of “Antidot” strings in malware source code

The Antidot Android Banking Trojan is disguised as a Google Play replace app and delivers a misleading Google Play replace page throughout installation, which has been seen in more than one languages, suggesting the malware targets users in German, French, Spanish, Russian, Portuguese, Romanian, and English speaking regions.

Capture%20(15)
Fallacious replace pages crafted in varied languages

The Android malware Antidot utilizes social engineering to trick users into granting accessibility permissions, and upon installation, a incorrect replace page with a “Continue” button is displayed.

Clicking this button redirects the person to the Accessibility Settings menu, and by gaining Accessibility privileges, Antidot, a much like other Android banking Trojans, can affect malicious actions without the person’s data or consciousness, which enables the malware to raise gentle data and potentially elevate serve a watch on of the instrument.

Capture
Antidot prompting person to grant Accessibility permission

The Antidot banking trojan utilizes a aggregate of HTTP and WebSocket protocols to establish true-time, two-device verbal exchange with its Picture and Preserve watch over (C&C) server and initiates contact by plot of an HTTP build a query to nonetheless leverages WebSocket’s “socket.io” library for continuous data exchange.

Capture%20(1)
First ping message to the server

The malware communicates the usage of “ping” and “pong” messages. Client-facet “ping” messages transmit Base64 encoded data, whereas server replies (“pong”) own instructions in undeniable textual vow material for the malware to enact, permitting the C&C server to discreetly plot back instructions to the contaminated instrument.

It initiates contact with the attacker’s C&C server by sending a “ping” message containing encoded instrument data admire app name, version, instrument model, producer, and installed apps.

Capture%20(2)
Pong message with bot ID

Upon a success verbal exchange, the server responds with a “pong” message assigning a determined bot ID to the contaminated instrument, whereas the malware retrieves extra backup C&C server addresses throughout this exchange, making certain persevered verbal exchange even when essentially the most indispensable server goes offline.

In step with Cyble, the Antidot Banking Trojan establishes a two-device verbal exchange channel with its server upon receiving a determined bot ID, as the malware transmits bot statistics and fetches instructions from the server.

Capture%20(3)
Instructions bought from the server

The instructions, totaling 35, grant the attacker intensive serve a watch on over the victim’s instrument, including stealing data (SMS, contacts, keystrokes), manipulating the interface (overlay windows, brightness), and even controlling the instrument itself (taking photos, making calls, initiating sleep mode).

Capture%20(4)
SOS activity

The Antidot Android Banking Trojan utilizes overlay assaults and keylogging to raise person credentials.

It overlays misleading phishing pages corresponding to legit apps (admire banking apps) on top of true ones, tricking users into entering their credentials into the malware.

Moreover, it logs every keystroke the victim forms, because it communicates with a expose-and-serve a watch on server, sending stolen data and receiving instructions, and if the server detects the instrument isn’t the supposed purpose, it instructs the malware to urged the person to uninstall itself by plot of an “SOS” expose.

Source credit : cybersecuritynews.com

Related Posts