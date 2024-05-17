Cyble observed that this fake update page has been crafted in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English. This suggests that the malware is targeting Android users in different regions.

The researchers called the Trojan “Antidot” after a string within its source code.

In a report published on May 16, CRIL described sophisticated malware incorporating a range of malicious features, including overlay attacks, keylogging and obfuscation capabilities.

A new banking Trojan targeting Android devices has been detected by Cyble Research and Intelligence Labs (CRIL), the research branch of threat intelligence provider Cycble.

On the fake update page, a “Continue” button redirects the user to the Android device’s Accessibility settings.

Once the user grants Accessibility to the service, the malware sends the first “ping message” to the server along with the Base64 encoded data, which contains the following:

Malware application name

Software Development Kit (SDK) version

Phone model

Phone manufacturer

Language and country code

Installed application package list

Decoding Antidot’s Features

In the background, the malware initiates communication with its command and control (C2) server at “hxxp://46[.]228.205.159:5055/”.

In addition to the HTTP connection, the Trojan establishes WebSocket communication using the socket.io library, which enables real-time, bi-directional communication between the server and client.

The malware maintains this communication between the server and its client through “ping” and “pong” messages.

Once the server generates the bot ID, the Antidot Banking Trojan sends bot statistics to the server and receives commands. The malware has implemented a total of 35 commands, including collecting SMS messages, initiating USSD requests, and even remotely controlling device features such as the camera and screen lock.

The malware incorporates several features that allow it to deploy a range of malicious activities, including:

Virtual Network Computing (VNC)

Keylogging

Overlay attack

Screen recording

Call forwarding

Collecting contacts and SMSs

Performing USSD requests

Locking and unlocking the device

“Antidot’s utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions,” Cyble researchers wrote.

Cyble Mitigation Recommendations for Android Banking Trojans

Some of the recommendations to mitigate this threat include: