New Android Banking Trojan Mimics Google Play Update App
Summary:
Cyble Research and Intelligence Labs has uncovered a new banking trojan dubbed “Antidot” targeting Android devices by posing as a Google Play update application. Users who install the application are presented with a counterfeit Google Play update page that contains a “continue” button designed to redirect to the Android device’s Accessibility settings. If the user grants accessibility to the malicious application, it will proceed to initiate communication with the C2 server and send back device data including the SDK version, phone model, manufacturer, language and country code, etc. According to researchers, Antidot establishes communication with the C2 server via WebSocket, enabling real-time bidirectional interaction for executing commands. Antidot supports a total of 35 commands, allowing operators of the malware to initiate USSD requests, collect contacts and SMSs, log keystrokes, record the device’s screen, and much more.
Security Officer Comments:
Several versions of the fake update page have been created in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English as a means to target Android around the world. As a banking trojan, Antidot’s main purpose is to gather credentials for various financial platforms, enabling actors to divert funds. Researchers note the use of overlay attacks to collect credentials, which involves presenting infected users with lookalike login pages masquerading as these targeted financial institutions.
Suggested Corrections:
To help defend against banking trojans like Antidot, Cyble has provided the following mitigations:
https://www.infosecurity-magazine.com/news/android-banking-trojan-google-play/
Cyble Research and Intelligence Labs has uncovered a new banking trojan dubbed “Antidot” targeting Android devices by posing as a Google Play update application. Users who install the application are presented with a counterfeit Google Play update page that contains a “continue” button designed to redirect to the Android device’s Accessibility settings. If the user grants accessibility to the malicious application, it will proceed to initiate communication with the C2 server and send back device data including the SDK version, phone model, manufacturer, language and country code, etc. According to researchers, Antidot establishes communication with the C2 server via WebSocket, enabling real-time bidirectional interaction for executing commands. Antidot supports a total of 35 commands, allowing operators of the malware to initiate USSD requests, collect contacts and SMSs, log keystrokes, record the device’s screen, and much more.
Security Officer Comments:
Several versions of the fake update page have been created in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English as a means to target Android around the world. As a banking trojan, Antidot’s main purpose is to gather credentials for various financial platforms, enabling actors to divert funds. Researchers note the use of overlay attacks to collect credentials, which involves presenting infected users with lookalike login pages masquerading as these targeted financial institutions.
Suggested Corrections:
To help defend against banking trojans like Antidot, Cyble has provided the following mitigations:
- Only install software from official app stores such as the Google Play Store (Android phones) or the Apple App Store (iOS phones)
- Use a reputed antivirus and internet security software package
- Use strong passwords and enforce multi-factor authentication (MFA) wherever possible
- Be careful while opening links received via SMS or emails sent to your mobile device
- Always enable Google Play Protect on Android devices
- Be wary of any permissions given to an application
- Keep devices, operating systems and applications up to date
https://www.infosecurity-magazine.com/news/android-banking-trojan-google-play/