New Android Banking Trojan Mimics Google Play Update App

Written by

A new banking Trojan targeting Android devices has been detected by Cyble Research and Intelligence Labs (CRIL), the research branch of threat intelligence provider Cycble.

In a report published on May 16, CRIL described sophisticated malware incorporating a range of malicious features, including overlay attacks, keylogging and obfuscation capabilities.

The researchers called the Trojan “Antidot” after a string within its source code.

What the Antidot Trojan Looks Like

Antidot poses as a Google Play update application, displaying a counterfeit Google Play update page upon installation.

Cyble observed that this fake update page has been crafted in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English. This suggests that the malware is targeting Android users in different regions.

Antidot’s fake update pages crafted in different languages. Source: Cyble
Antidot’s fake update pages crafted in different languages. Source: Cyble

On the fake update page, a “Continue” button redirects the user to the Android device’s Accessibility settings.

Once the user grants Accessibility to the service, the malware sends the first “ping message” to the server along with the Base64 encoded data, which contains the following:

  • Malware application name
  • Software Development Kit (SDK) version
  • Phone model
  • Phone manufacturer
  • Language and country code
  • Installed application package list

Decoding Antidot’s Features

In the background, the malware initiates communication with its command and control (C2) server at “hxxp://46[.]228.205.159:5055/”.

In addition to the HTTP connection, the Trojan establishes WebSocket communication using the socket.io library, which enables real-time, bi-directional communication between the server and client.

The malware maintains this communication between the server and its client through “ping” and “pong” messages.

Once the server generates the bot ID, the Antidot Banking Trojan sends bot statistics to the server and receives commands. The malware has implemented a total of 35 commands, including collecting SMS messages, initiating USSD requests, and even remotely controlling device features such as the camera and screen lock. 

The malware incorporates several features that allow it to deploy a range of malicious activities, including: 

  • Virtual Network Computing (VNC)
  • Keylogging 
  • Overlay attack 
  • Screen recording 
  • Call forwarding 
  • Collecting contacts and SMSs 
  • Performing USSD requests 
  • Locking and unlocking the device 

“Antidot’s utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions,” Cyble researchers wrote.

Cyble Mitigation Recommendations for Android Banking Trojans

Some of the recommendations to mitigate this threat include:

  • Only install software from official app stores such as the Google Play Store (Android phones) or the Apple App Store (iOS phones)
  • Use a reputed antivirus and internet security software package
  • Use strong passwords and enforce multi-factor authentication (MFA) wherever possible
  • Be careful while opening links received via SMS or emails sent to your mobile device
  • Always enable Google Play Protect on Android devices
  • Be wary of any permissions given to an application
  • Keep devices, operating systems and applications up to date

What’s hot on Infosecurity Magazine?