New Android Trojan Disguised as Google Play Update to Steal Data

New Android Trojan Disguised as Google Play Update to Steal Data

Penka Hristovska Penka Hristovska
Updated on: May 21, 2024

A new Android banking trojan that’s capable of stealing user credentials and eavesdropping on conversations is impersonating a Google Play update.

The trojan, named Antidot by the threat intelligence company Cyble that first detected it, is capable of performing a long list of functions to access sensitive information.

“The newly surfaced Antidot banking trojan stands out for its multifaceted capabilities and stealthy operations. Its utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions,” Cyble explains.

Once Antidot infects a device, it displays a fake Google Play update page, which is tailored to match the device’s language settings, including English, French, German, Portuguese, Romanian, Russian, and Spanish. This fake page directs victims to the Accessibility settings, deceiving them into granting the malware elevated permissions.

While running in the background, the Antidot trojan establishes communication with a server controlled by attackers. It receives commands that enable it to employ overlay attacks, unlock the device, put the device in sleep mode, manage applications (opening and uninstalling), make phone calls, send SMS messages, gather information, send push notifications, and even use the device’s camera to take photos.

To execute overlay attacks, it sends a list of app package names to its command and control (C&C) server. The server then responds with customized overlays designed for those specific applications. When a user tries to open any of the targeted applications, Antidot generates an overlay window that captures the user’s credentials.

“The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the command-and-control (C&C) server,” Cyble says.

It can execute USSD requests as well, which could potentially allow it to directly interact with a mobile service provider’s services. This might include checking a device’s balance, recharging an account, or even transferring funds without the user’s consent.

Source of Article