AntiDot is a sophisticated Android banking trojan, first identified in May 2024, that targets mobile users globally through a variety of deceptive tactics and advanced features. It is primarily distributed by masquerading as a legitimate Google Play update, tricking users into installing it on their devices.
Key Features and Capabilities
Distribution and Infection
• Disguises itself as a Google Play update app, often using localized fake update pages in multiple languages to target users in different regions.
• Delivered via malicious ads, phishing campaigns, or fake job offers, often requiring users to grant Accessibility Services permissions to function.
Core Malicious Functions
• Overlay Attacks: Uses HTML phishing pages displayed over legitimate banking, cryptocurrency, or social media apps to steal credentials. These overlays are tailored for specific apps identified on the victim’s device.
• Keylogging and Screen Recording: Abuses Android’s accessibility services and MediaProjection API to log keystrokes and record screen activity.
• Remote Control: Employs Virtual Network Computing (VNC) to allow attackers to remotely control infected devices, including interacting with the screen, opening notifications, and performing swipe gestures.
• SMS and Call Interception: Sets itself as the default SMS app to intercept messages, can monitor, block, or redirect calls, and even hide certain SMS messages.
• Data Theft: Extracts sensitive data from third-party apps, contacts, and SMS, and can collect information about the device and installed applications.
• Persistence and Evasion: Uses heavy obfuscation, dynamic code loading, and encrypted payloads to evade detection by antivirus tools.
• Command and Control: Maintains real-time, bi-directional communication with its operators via WebSocket, enabling it to receive and execute over 35 different commands.
Additional Features
• Can lock/unlock the device, perform USSD requests, initiate fake login pages for hundreds of banks and services, and prevent uninstallation.
• Targets both financial and social media applications, expanding its potential impact.
Threat Actor and Campaigns
• Operated by the financially motivated group LARVA-398, AntiDot is sold as Malware-as-a-Service (MaaS) on underground forums.
• Has been linked to at least 273 unique campaigns, compromising thousands of devices worldwide.
Technical Details
• Written in Java, distributed as a multi-stage APK, and heavily packed to avoid detection.
• Dynamically loads malicious code at runtime to bypass security checks.
• Uses both HTTP and WebSocket protocols for communication with command-and-control (C2) servers.