Cybersecurity researchers have recently exposed the inner workings of a sophisticated Android malware called AntiDot, which has compromised over 3,775 devices across 273 distinct campaigns. AntiDot is operated by the financially motivated threat actor group LARVA-398 and is actively sold as Malware-as-a-Service (MaaS) on underground forums, enabling a wide range of mobile attack campaigns.
Infection and Distribution
AntiDot is primarily distributed through malicious advertising networks and highly targeted phishing campaigns, including SMS-based phishing (smishing). The malware often masquerades as a legitimate Google Play update, tricking users into installing it by presenting fake update notifications or pages in multiple languages, thereby increasing its reach across various regions.
Technical Capabilities
AntiDot is advertised as a “three-in-one” solution, offering a robust set of features that make it particularly dangerous:
• Overlay Attacks: AntiDot can display fake login screens over legitimate banking, cryptocurrency, or other sensitive apps to steal user credentials.
• Keylogging & Screen Recording: By abusing Android’s accessibility services and the MediaProjection API, it can log keystrokes and record the device screen, capturing sensitive information.
• Remote Control: The malware establishes a WebSocket connection for real-time, bi-directional communication with its command-and-control (C2) server, allowing attackers to execute commands, collect data, and even remotely control the device via VNC-like capabilities.
• Data Exfiltration: AntiDot can intercept SMS messages, steal contact lists, forward calls, collect two-factor authentication codes, and extract data from third-party apps.
• Device Manipulation: It can lock/unlock the device, put it to sleep, open/uninstall apps, make calls, send SMS messages, and use the camera to take photos—all without user consent.
Campaigns and Evolution
The malware has been observed in at least 273 unique campaigns, targeting victims based on language and geography for more effective social engineering. Notably, in December 2024, an updated variant called AppLite Banker was distributed using job-offer-themed phishing lures, further expanding the malware’s reach and sophistication.
Impact and Response
AntiDot poses a significant threat to Android users’ financial and personal security, given its ability to steal banking credentials, credit card information, two-factor authentication codes, and more. Security vendors and researchers have responded by updating threat intelligence and blocking related domains and IPs, but the malware’s ongoing evolution and MaaS model mean it remains a persistent risk.
