Cyber security researchers have highlighted the internal functioning of an Android malware called Antidot, which has compromised over 3,775 equipment as part of 273 unique campaigns.
In a report shared with hacker news, Proudaft said, “Antidot operated by an economically motivated danger actor Larva-398, Antidot is actively sold on underground forums as Malware-A-Sarvis (MAAS) and is connected to a wide range of mobile operations.”
TheDidot is advertised as a “three-in-one” solution with capabilities to record the device screen by removing sensitive data from Android’s accessibility services, intercept SMS messages and third-party applications.
Android Botnet is suspected to distribute through malicious advertising networks or through highly anticipated fishing operations based on activity that indicates the selective targeting of the victims based on language and geographical location.
Antidott was first publicly documented in May 2024, when it was observed after being distributed as Google Play updates to fulfill its information theft objectives.
Like other Android Trojan, it facilitates overlay attacks, log kestrokes and remotely infected equipment using Android’s Media Profession API. It also establishes a websocket communication to facilitate the real-time, two-practical communication between the infected device and an external server.
In December 2024, Zimprium gave a description of a mobile phishing campaign, which distributed an updated version of the Antidot-dubbed application banker using a job offer-theme decoy.
The latest findings from the Swiss Cyber Security Company show that the operation has at least 11 active command-conclusion (C2) servers that are not overseeing the infected equipment less than 3,775 in 273 different campaigns.
At its core, a Java-based malware, antidot is heavily detected using a commercial packer to reduce the efforts of detection and analysis. Malware, per prodaft, is distributed as part of a three-phase process that begins with the APK file.
The company said, “An inspection of the Androidmanifest file shows that many classes do not appear in the original APK,” the company said. “These missing sections are dynamically loaded by the packer during installation, and include malicious code extracted from the encrypted file. The entire mechanism is deliberately designed to avoid detection by antivirus tools.”
Once launched, it serves a fake update bar and motivates the victim to provide accessibility permissions, after which it unpacks and loads a DEX file, incorporating botton functions.
One of the main feature of the antidot is the ability to monitor and serve a fake login screen from the C2 server, when the victim opens a cryptocurrency- or payment-related app to serve and serve a fake login screen from the C2 server.
Malware also misuses accessibility services to collect comprehensive information about the content of active screen and set itself as a default SMS app to capture incoming and outgoing texts. In addition, it can monitor the phone call, can block the call from specific numbers, or redirect them, effectively open more paths for fraud.
Another important feature is that it can keep the track of real -time information displayed in the status bar of the device and takes steps to either dismiss or snooze them to suppress the alert and to avoid the user of suspicious activity.
Prodaft stated that the C2 panel which power controls the control functions is created using metages, an open-source JavaScript framework that enables real-time communication. There are six separate tabs in the panel –
- Bots, which displays a list of all compromised equipment and their details
- Injections, which displays a list of all target apps for overlay injection and see overlay template for each injection
- Analysis, which displays a list of applications installed on afflicted devices and possibly used to identify new and popular apps for future targeting
- Settings, including core configuration options for the panel, updating the injected
- Gates, used to manage the closing points of infrastructure
- Help, which provides support resources to use malware
The company said, “Antidot represents a scalable and evident MAAS platform, designed for financial advantage through frequent control of mobile devices, especially in local and language-specific areas,” the company said. “Malware also appoints webview injections and overlay attacks to steal credentials, making it a serious threat to user privacy and device safety.”
Godfather Return
The growth comes as Zimperium Zlabs said that it highlighted a “sophisticated development” of Godfather Android banking trojan, which uses on-device virtualization to kidnap legitimate mobile banking and cryptocurrency applications and uses real time fraud.
“This novel technique has the ability of malware to create a complete, isolated virtual environment on the original victim’s device. Instead of simply mimicing a login screen, the malware establishes a malicious ‘host’ application that has a virtualization framework,” researcher Fernando Ortga and Vishnu Pratapagiri Said.
“This host then downloads and runs a copy of the real targeted banking or cryptocurrency app within its controlled sandbox.”
Whether the victim should launch the app, they are redirected for a virtual example, from where their activities are monitored by actors of danger. In addition, the latest version of Godfather packed in features to bypass static analysis equipment by using zip manipulation and filling the Androidmanifest file with irrelevant permissions.
In the case of antidot, Godfather depends on accessibility services to conduct its information collection activities and control the equipment made. While Google has implemented safety security that prevents sideloaded apps from enabling the Android 13 starting accessibility services, a session-based installation approach can achieve around this safety.
The session-based method is used by Android app stores to handle the app installation, as the texting app, mail client and browser when presented with APK files.
The central is its virtue for the functioning of malware. In the first phase, it collects information about the list of installed apps and the list of checks, if it includes any predetermined app that has been configured for the target.
If the matches are found, it removes relevant information from those apps and then proceeds to install a copy of those apps in a virtual environment inside the dropper app. Thus when the victim tries to launch the actual banking application on his device, Godfather intercepted action and opens virtualized institute instead.
It is worth indicating that similar virtualization features were previously marked as Fozard Fantum in another Android malware, which was documented by promon in December 2023. This method represents a paradigm change in mobile danger abilities that go beyond the traditional overlay strategy that steals credit and other sensitive data.
“While this Godfather campaign lays a broad trap, targeting around 500 applications globally, our analysis suggests that this highly sophisticated virtue attack is currently focused on a dozen Turkish financial institutions,” the company said.
“A particularly dangerous capacity device has the ability to steal the device lock credentials, even if the victim uses an unlock pattern, a pin, or a password. It is a significant danger to user privacy and device safety.”
The Mobile Security Company said that misuse of accessibility services is one of the many ways that can increase the privilege on malicious apps android, allowing them to obtain more than their functional needs. These include the permission of the original tool manufacturer (OEM) and misuse of security weaknesses in pre-installed apps, which cannot be removed by users.
Security researcher Ziv Zira said, “User needs more than user awareness or reactive patching to secure Android ecosystem against malicious or more conservative applications-” This demands active, scalable and intelligent defense mechanisms, “said the security researcher Ziv Zira.
Supercard x malware comes in Russia
Conclusions also follow the previously recorded efforts to target Russian users with Supercard X, a newly embossed Android Malware that can conduct near-field communication (NFC) relay attacks for fraud transactions.
According to the Russian Cyber Security Company F6, Supercard X is a malicious modification of a valid equipment called NFCGAT that can capture or modify NFC traffic. The ultimate goal of malware is not only to get NFC traffic from the victim, but also send a bank card data by sending command to its EMV chip.
F6 researcher Alexander Coposov said in a report published this week, “This application allows attackers to steal bank card data by stopping NFC traffic to steal money from users’ bank accounts.”
The attacks that took advantage of Supercard X were first seen targeting Android users in Italy earlier this year, in which NFC technology was armed to relay data from the physical cards of the victims to the attacker-controlled equipment, from where they were used to redeem fake ATMs or Point-SAL (POS).
Chinese-speaking MAAS platform, advertised on Telegram, is able to target customers from major banks in the US, Australia and Europe, shared sufficient code-level overlaps with Negate, an Android malware, which has been found to be armed for malicious purposes in the Czech Republic.
All these campaigns are united with the fact that they rely on smishing techniques to explain a potential prey of the need to install an APK file on the device under the guise of a useful program.
Malanceful apps spotted at app store
While all the above malware strains need to load the apps on their equipment, new research has detected malicious apps on the official Google Play Store and App Store of Apple, which has the ability to stole mneemonic phrases associated with individual information and chryptocurrency.
One of the apps in the question, rapiplata, estimates that about 150,000 times on both Android and iOS devices, which outlines the severity of the danger. The app is a type of malware, known as spillon, which is enticed users by claiming to offer loans at low-onion rates, only under forced recovery, blackmail and data theft.
“Rapiplata mainly targets Colombian users by promising quick loans,” the Czech point said. “Beyond its hunter loan practices, the app is engaged in comprehensive data theft. The app had a widespread access to sensitive user data – including SMS messages, call logs, calendar events, and installed applications – even to upload this data to their server.”
On the other hand, the Cryptocurrency wallet fishing apps have been distributed through the compromised developer accounts and a phishing page has been served via WebView to get seed phrases.
Although these apps have been removed from the respective app store, the danger is that Android apps can be available for download from third-party app marketplace. Users are advised to take precautions while downloading financial or loan related applications.
