Cybersecurity researchers have exposed the inner workings of Android malware called Antidot, which compromised over 3,775 devices as part of 273 unique campaigns.
“Operated by financially motivated threat actor Larva-398, Antidot is actively sold as Malware as Malware (MAAS) at underground forums and is linked to a wide range of mobile campaigns.”
Antidot is advertised as a “three one” solution with the ability to record device screens by abusing Android’s accessibility services, intercepting SMS messages, and extracting sensitive data from third-party applications.
Android botnets are suspected to be offered through malicious ad networks or highly customized phishing campaigns based on activities that demonstrate selective targeting of victims based on language and geographic location.
Antidot was first published in May 2024 after it was discovered to be distributed as a Google Play update to meet its information theft goals.
Like other Android Trojans, it has a wide range of features to use Android’s Mediaprojection API to perform overlay attacks, log keystrokes, and remotely controlled infected devices. It also establishes WebSocket communications to facilitate real-time two-way communication between infected devices and external servers.
In December 2024, Zimperium revealed details of a mobile phone campaign that distributed an updated version of Antidot Dubbed Applite Banker using job-themed decoys.
The latest findings from Swiss Cybersecurity Company show that at least 11 active command and control (C2) servers are running, overseeing more than 3,775 infected devices across 273 different campaigns.
Anti-Dot, the core Java-based malware, is heavily obfuscated using commercial packers to avoid detection and analysis efforts. Malware, Per Prodaft, is delivered as part of a three-stage process starting with an APK file.
“An inspection of AndroidManifest files revealed that many class names are not visible in the original APK,” the company said. “These missing classes contain malicious code that is dynamically loaded by the packer during installation and extracted from encrypted files. The entire mechanism is intentionally written to avoid detection by anti-virus tools.”
Once released, it provides a fake update bar, prompting victims to grant accessibility permissions, then unpacks and loads a DEX file with botnet functions incorporating it.
Antidot’s core functionality is the ability to monitor newly launched applications and provide a fake login screen from the C2 server when the victim opens a cryptocurrency or payment-related app of interest to the operator.
Malware also abuses accessibility services to gather extensive information about the contents of active screens and set it as the default SMS app to capture incoming and outgoing text. Additionally, you can effectively open up more means of fraud by monitoring calls, blocking calls from certain numbers, and redirecting them.
Another important feature is that you can track real-time notifications that appear in the device’s status bar, and take steps to reject or snooze them to suppress alerts and avoid warning users of suspicious activity.
According to Prodaft, the C2 panel that runs the remote control functions is built using MeteORJS, an open source JavaScript framework that allows for real-time communication. The panel has 6 different tabs –
View a list of all compromised devices and all target apps injecting their details, and view an overlay template for each injection analysis bots that view a list of all target apps installed on victim devices and may be used to identify new and popular apps for future targeting settings. The infrastructure endpoint that the bot connects to help. Provide support resources for using malware
“Antidot represents a scalable and evasive MAAS platform designed for financial gain, particularly through sustained control of mobile devices in localized language-specific regions,” the company said. “Malware also employs WebView injection and overlay attacks to steal credentials, poses a serious threat to user privacy and device security.”
The Godfather is back
The development, like Zimperium Zlabs, said it revealed the “sophisticated evolution” of the Godfather Android Banking Trojan, which hijacks legal mobile banking and cryptocurrency applications and utilizes on-device virtualization to carry out real-time scams.
“The core of this novel approach is the ability for malware to create a complete, isolated virtual environment on the victim’s device. Instead of simply mimicking the login screen, the malware installs malicious “host” applications, including a virtualization framework.”
“This host downloads and runs a copy of the actual target banking or cryptocurrency app in a controlled sandbox.”
If the victim launches the app, they are redirected to a virtual instance where their activity is monitored by threat actors. Additionally, the latest version of Godfather features the ability to bypass static analysis tools by utilizing ZIP operations and filling AndroidManifest files with unrelated permissions.
As in Anti-Dot’s case, the Godfather relies on accessibility services to carry out information gathering activities and control compromised devices. Google has implemented security protections that prevent sideloaded apps from enabling accessibility services to launch Android 13, but a session-based installation approach can avoid this safeguard.
The session-based method is used to handle app installations in the Android app store and sends text messages to the app, email client, and browser when presented in an APK file.
The core of malware features is virtualization. The first step is to gather information about the list of installed apps and check if the targeted apps are included.
If a match is found, extract relevant information from those apps and install copies of those apps in a virtual environment within the Dropper app. So, when the victim tries to launch an actual bank application on the device, the godfather intercepts the action and opens a virtualized instance instead.
It is worth pointing out that similar virtualization features were previously flagged with another Android malware codename fjordphantom, documented by Declaration in December 2023. This method represents a paradigm shift in mobile threat capabilities to steal credentials and other sensitive data beyond traditional overlay tactics.
“While this Godfather campaign has attracted a wide range of nets targeting nearly 500 applications around the world, the analysis reveals that this highly sophisticated virtualization attack is currently focused on Turkish financial institutions,” the company said.
“A particularly surprising feature revealed in Godfather’s malware is its ability to steal device lock credentials, regardless of whether the victim uses unlock patterns, PINs or passwords. This poses a major threat to user privacy and device security.”
The mobile security company said that misuse of accessibility services is one of many ways malicious apps can achieve privilege escalation on Android, allowing them to obtain permissions that exceed functional requirements. These include the misuse of original equipment manufacturers (OEMs) permissions and security vulnerabilities for pre-installed apps that users cannot remove.
“To prevent privilege escalation and ensure the Android ecosystem for malicious or major applications, we need more than user awareness and reactive patching. We require proactive, scalable, intelligent defense mechanisms.”
Super Card x Malware Comes to Russia
The findings continue to the first recorded attempt to target Russian users using SuperCard X, a newly emerging Android malware that can carry out close field communication (NFC) relay attacks due to fraudulent transactions.
According to Russian cybersecurity company F6, Supercard X is a malicious change in a legitimate tool called NFCGATE that can capture or modify NFC traffic. The ultimate goal of malware is not only to receive NFC traffic from victims, but also to receive bank card data read by sending commands to the EMV chip.
“The application allows attackers to steal bank card data by intercepting NFC traffic due to subsequent theft of money from a user’s bank account,” F6 researcher Alexander Koposov said in a report published this week.
The Super Card X-based attack was first discovered earlier this year to target Android users in Italy, weaponizing NFC technology to relay data from the victim’s physical card to an attacker-controlled device, from which it performed fraudulent ATM withdrawals and allowed point-of-sale (POS) payments.
The Chinese-speaking MAAS platform is touted as capable of targeting customers in major banks in the US, Australia and Europe, and shares significant code-level duplication with NGATE, an Android malware that weaponizes NFCGATE for malicious purposes in the Czech Republic.
All of these campaigns are combined by the fact that they rely on smishing techniques to convince potential victims of the need to install APK files on their devices under the guise of useful programs.
Malicious apps discovered in the app store
All of the aforementioned malware stocks require victims to remove apps on their devices, but new research has stole mnemonic phrases related to cryptocurrency wallets with the goal of unearthing malicious apps in the official Google Play Store and Apple’s App Store, collecting personal information and ejecting assets.
One of the apps in question, Rapiplata, is estimated to have been downloaded about 150,000 times on both Android and iOS devices, highlighting the severity of the threat. The app is a type of malware known as Spyloan, which captivates users by claiming that it is only exposed to fear, fear mail and data theft.
“Rapiplata targets Colombian users primarily by committing to quick loans,” Check Point said. “Beyond predatory lending practices, the app is engaged in a wide range of data theft. The app has had extensive access to sensitive user data, including SMS messages, call logs, calendar events, and installed applications.
Meanwhile, cryptocurrency wallet phishing apps are distributed through compromised developer accounts and are getting seed phrases by providing phishing pages via WebView.
These apps have been removed from their respective app stores, but the danger is that Android apps can be downloaded from third-party websites. Users are advised to take caution when downloading financial or loan-related applications.
Source link
