The emergence of new malicious software represents a constant threat that evolves alongside technology. If a few days ago we reported on the return of Grandoreiro, now researchers from the threat intelligence company Cyble have identified a dangerous banking trojan designed for the Android operating system, baptized ‘Antidot‘. This malware not only spies on users, but also has the ability to steal their most sensitive credentials, acting under the guise of a harmless Google Play Store update.
Antidot is an Android Trojan created to be multifaceted, designed to infiltrate devices without raising suspicion. Once installed, the Trojan presents a fake Google Play update page, adapting to the language of the victim’s device, including Spanish, English, French, German, Portuguese, Romanian and Russian. This first step is important as it redirects the user to the device’s Accessibility settings, where the Trojan manipulates the user into granting permissions that would normally be disabled to protect the device.
Once it gets these elevated permissions, Antidot starts its real work in the background. Communicates with a server controlled by the attackers, which sends commands to perform a series of malicious actions. These include overlay attacks, which are tactics where fake phishing pages are displayed that imitate legitimate banking or cryptocurrency apps, thereby capturing the user’s credentials.
Advanced capabilities and attack strategies
Antidot is not limited to simple simple actions. It has capabilities that allow you to record what is shown on the screen, record each keystroke, and remotely control the device. Use VNC (Virtual Network Computing) for this purpose, giving attackers unprecedented access to private user information. Additionally, you can lock and unlock your phone, collect contacts and SMS messages, make USSD requests, and even take control over the device’s calling and camera functions.
The MediaProjection feature is especially dangerous, as it allows the Trojan capture all content displayed on the screen of the infected device. Once captured, this information is encrypted and transmitted back to the command and control (C&C) server, where attackers can make use of it as needed.
Prevention and protection against Antidot
As the main prevention tool, the importance of vigilance and precaution is highlighted to protect against such threats. If something is recommended in a fundamental way, it is the fact of only download applications from official sources such as Google Play Store and always be attentive to the permissions that an application requests during installation. It is also essential to activate Google Play Protect and keep the operating system updated to defend against malware.
3 reasons for the success of Android Trojans
Cybercriminals exploit Trojans like Antidot for several strategic and lucrative reasons, including:
- Theft of Financial and Personal Information: Trojans like Antidot are effective tools for stealing sensitive information, such as banking credentials, passwords, credit card data, and personal details. This information can be used directly to steal money from victims’ bank accounts, make fraudulent purchases, or be sold on the black market to other criminals, generating a source of illegitimate income.
- Remote Control of Devices: Antidot and other similar Trojans allow attackers to take full control over infected devices. This includes the ability to execute arbitrary commands, spy on victims via camera and microphone access, send messages and make calls, which can be used for a variety of malicious purposes, from industrial espionage to blackmail.
- Ease of propagation and evasion of detection: Trojans like Antidot often come equipped with advanced techniques to avoid detection by antivirus software and other security measures. Their ability to disguise themselves as legitimate software and perform malicious actions without alerting the user allows them to spread widely before being detected.
