Key Takeaways 

• A new Android Banking Trojan, “Antidot,” masquerading as a Google Play update application, displays fake Google Play update pages in multiple languages, indicating a wide range of targets.  
• Antidot incorporates a range of malicious features, including overlay attacks and keylogging, allowing it to compromise devices and harvest sensitive information. 
• Antidot maintains communication with its Command and Control (C&C) server through WebSocket, enabling real-time, bidirectional interaction for executing commands. 
• The malware executes a wide range of commands received from the C&C server, including collecting SMS messages, initiating USSD requests, and even remotely controlling device features such as the camera and screen lock. 
• Antidot implemented VNC using MediaProjection to remotely control infected devices. 

Overview 

In April, Cyble Research and Intelligence Labs (CRIL) released a detailed analysis of a newly surfaced Android Banking Trojan named Brokewell, created by malware developer Baron Samedit and capable of taking over devices.  

Recently, we’ve discovered another new Android Banking Trojan, “Antidot,” initially spotted on May 06, 2024 (a6f6e6fb44626f8e609b3ccb6cbf73318baf01d08ef84720706b205f2864b116). This Trojan leverages overlay attacks as its primary method for gathering credentials. 

This malware incorporates several features, including: 

• VNC 
• Keylogging 
• Overlay attack 
• Screen recording 
• Call forwarding 
• Collecting contacts and SMSs 
• Performing USSD requests 
• Locking and unlocking the device 

We’re referring to this Android Banking Trojan known as “Antidot,” identified by the presence of the string “Antidot” within its source code, utilized for logging across different classes. This malware employs a custom encryption code for string obfuscation, along with gibberish class names, making analysis more challenging. 

Figure 1 – Mentions of “Antidot” strings in malware source code 

The malware masquerades as a Google Play update application, displaying a counterfeit Google Play update page upon installation. Our observations reveal that this fake update page has been crafted in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English. This indicates that the malware is targeting Android users in these language-speaking regions. 

Figure 2 – Fake update pages crafted in different languages

The next section presents a detailed technical analysis of the Antidot Android Banking Trojan. 

Technical Details 

As previously mentioned, after installation, the malware displays a fake update page featuring a “Continue” button that redirects the user to the Accessibility settings. Like other Android Banking Trojans, Antidot also relies on the Accessibility service to carry out its malicious activities. 

Figure 3 – Antidot prompting user to grant Accessibility permission 

Command and Control server communication 

In the background, the malware initiates communication with its Command and Control (C&C) server at “hxxp://46[.]228.205.159:5055/”. In addition to the HTTP connection, the Antidot Banking Trojan establishes WebSocket communication using the socket.io library, which enables real-time, bi-directional communication between the server and client. The malware maintains this communication through “ping” and “pong” messages. 

From the client side, the malware uses the “ping” message and sends Base64 encoded data. An example of a ping message sent by the client is shown below: 

42[“ping”,”1715751904″,”WyJyZXNTY3JlZW4iLCIxMDgwIiwiMTkyMCJd\n”] 

From the server side, the malware receives “pong” messages containing plain text data. These pong messages typically include commands that the server wants to execute. An example of a pong message received from the server is: 

42[“pong”,[“sos”,”1″]] 

Once the user grants Accessibility service, the malware sends the first “ping message” to the server along with the Base64 encoded data, which contains below information:

• Malware application name 
• SDK version 
• MODEL 
• MANUFACTURER 
• Locale (language + country code) 
• Installed application package list 

Figure 4 – First ping message to the server 

After receiving the initial ping message, the server responds with a “pong” message that includes the bot ID generated for the infected device, as illustrated in the figure below: 

Figure 5 – Pong message with bot ID 

During communication with the C&C server “hxxp://46[.]228.205.159:5055”, the malware obtains three additional server URLs. These can serve as backup options to maintain communication if the current C&C server becomes inactive. Below are the additional C&C servers received from the server: 

• hxxp://213.255.246[.]209:5055 
• hxxp://193.181.23[.]70:5055 
• hxxp://188.241.240[.]75:5055

Commands Executed by malware 

 Once the server generates the bot ID, the Antidot Banking Trojan begins sending bot statistics to the server and receiving commands. During execution, we observed several commands received by the malware, including “sos”, “setSettings,” “getApps,” and “getSMS.” 

Figure 6 – Malware sends bot stats 

Figure 7 – Commands received from the server 

The malware has implemented a total of 35 commands, which we have listed below. 

Antidot’s VNC Feature 

The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the Command and Control (C&C) server. The malware then initiates the VNC activity when it receives the command “startVNC” from the C&C server. 

Figure 8 – Starts VNC after receiving the command 

Once the screen content is transmitted, the malware can receive the command “actionVNC,” along with the actions to perform on the current display screen of the infected device. Utilizing Accessibility service methods, the malware executes these actions as directed. Below is the list of VNC actions received from the server: 

Overlay Attack

The overlay attack module of the Antidot malware is akin to that of other well-known banking Trojans such as Ermac, Chameleon, and Brokewell. It employs HTML phishing pages designed to resemble authentic banking or cryptocurrency applications, loading them into WebView and creating an overlay window on the genuine application to capture credentials. 

As mentioned earlier, the malware sends the installed application’s package name list to the C&C server, which will be used to find the targeted application. Once the targeted applications are found on the infected device, the server then sends the command “SetInjections” along with the package name and Base64-encoded HTML injection page URL. 

Figure 9 – Getting injections from the server 

When the malware detects that the victim is using a targeted application by verifying the package name against its injection list, it creates an overlay window over the legitimate application and loads the injection URL into the WebView.

Figure 10 – Overlay attack activity 

Keylogging 

The Antidot Android Banking Trojan has incorporated keylogging alongside its overlay attack to harvest credentials. Whenever a victim initiates typing, the malware produces a “ping message” and transmits the exfiltrated keystrokes using Base64 encoding. To dispatch the stolen key logs, along with a timestamp and application name, the malware employs the “getKeys” command. 
 
The figure below displays an example of the keylogger message sent by the malware.  

Figure 11 – Keylogger message example 

Antidot’s SOS Command 

 Once the malware gains access to the accessibility service, it transmits data concerning the device and the package names of installed applications. If the server determines that the device is not the intended target, it sends the “SOS” command to the malware. This prompts the display of a dialog box, prompting the victim to uninstall the application, and ceases any further command transmission to the bot.

Figure 12 – SOS activity

Conclusion 

The emergence of sophisticated Android Banking Trojans poses a significant threat to users’ security and privacy. Among these, the newly surfaced “Antidot” Banking Trojan stands out for its multifaceted capabilities and stealthy operations. Its utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions.
Analyzing its intricate workings sheds light on the evolving landscape of mobile malware and the ingenuity of cybercriminals. With its multifaceted capabilities, including overlay attacks, keylogging, and VNC features, Antidot poses a significant threat to users’ privacy and financial security. 

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

• Only install software from official app stores such as the Play Store or the iOS App Store.   
• It is recommended that connected devices, including PCs, laptops, and mobile devices, use a reputed antivirus and internet security software package.  
• Use strong passwords and enforce multi-factor authentication wherever possible.   
• Be careful while opening links received via SMS or emails sent to your mobile device.   
• Google Play Protect should always be enabled on Android devices.   
• Be wary of any permissions that you give an application.   
• Keep devices, operating systems, and applications up to date.  

MITRE ATT&CK® Techniques

Indicators of Compromise (IOCs)

Related