Blog image Android google play final

Key Takeaways 

  • A new Android Banking Trojan, “Antidot,” masquerading as a Google Play update application, displays fake Google Play update pages in multiple languages, indicating a wide range of targets.  
  • Antidot incorporates a range of malicious features, including overlay attacks and keylogging, allowing it to compromise devices and harvest sensitive information. 
  • Antidot maintains communication with its Command and Control (C&C) server through WebSocket, enabling real-time, bidirectional interaction for executing commands. 
  • The malware executes a wide range of commands received from the C&C server, including collecting SMS messages, initiating USSD requests, and even remotely controlling device features such as the camera and screen lock. 
  • Antidot implemented VNC using MediaProjection to remotely control infected devices. 

Overview 

In April, Cyble Research and Intelligence Labs (CRIL) released a detailed analysis of a newly surfaced Android Banking Trojan named Brokewell, created by malware developer Baron Samedit and capable of taking over devices.  

Recently, we’ve discovered another new Android Banking Trojan, “Antidot,” initially spotted on May 06, 2024 (a6f6e6fb44626f8e609b3ccb6cbf73318baf01d08ef84720706b205f2864b116). This Trojan leverages overlay attacks as its primary method for gathering credentials. 

This malware incorporates several features, including: 

  • VNC 
  • Keylogging 
  • Overlay attack 
  • Screen recording 
  • Call forwarding 
  • Collecting contacts and SMSs 
  • Performing USSD requests 
  • Locking and unlocking the device 

We’re referring to this Android Banking Trojan known as “Antidot,” identified by the presence of the string “Antidot” within its source code, utilized for logging across different classes. This malware employs a custom encryption code for string obfuscation, along with gibberish class names, making analysis more challenging. 

Figure 1 – Mentions of “Antidot” strings in malware source code 

The malware masquerades as a Google Play update application, displaying a counterfeit Google Play update page upon installation. Our observations reveal that this fake update page has been crafted in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English. This indicates that the malware is targeting Android users in these language-speaking regions. 

Figure 2 – Fake update pages crafted in different languages

The next section presents a detailed technical analysis of the Antidot Android Banking Trojan. 

Technical Details 

As previously mentioned, after installation, the malware displays a fake update page featuring a “Continue” button that redirects the user to the Accessibility settings. Like other Android Banking Trojans, Antidot also relies on the Accessibility service to carry out its malicious activities. 

Figure 3 – Antidot prompting user to grant Accessibility permission 

Command and Control server communication 

In the background, the malware initiates communication with its Command and Control (C&C) server at “hxxp://46[.]228.205.159:5055/”. In addition to the HTTP connection, the Antidot Banking Trojan establishes WebSocket communication using the socket.io library, which enables real-time, bi-directional communication between the server and client. The malware maintains this communication through “ping” and “pong” messages. 

From the client side, the malware uses the “ping” message and sends Base64 encoded data. An example of a ping message sent by the client is shown below: 

42[“ping”,”1715751904″,”WyJyZXNTY3JlZW4iLCIxMDgwIiwiMTkyMCJdn”] 

From the server side, the malware receives “pong” messages containing plain text data. These pong messages typically include commands that the server wants to execute. An example of a pong message received from the server is: 

42[“pong”,[“sos”,”1″]] 

Once the user grants Accessibility service, the malware sends the first “ping message” to the server along with the Base64 encoded data, which contains below information:

  • Malware application name 
  • SDK version 
  • MODEL 
  • MANUFACTURER 
  • Locale (language + country code) 
  • Installed application package list 

Figure 4 – First ping message to the server 

After receiving the initial ping message, the server responds with a “pong” message that includes the bot ID generated for the infected device, as illustrated in the figure below: 

Figure 5 – Pong message with bot ID 

During communication with the C&C server “hxxp://46[.]228.205.159:5055”, the malware obtains three additional server URLs. These can serve as backup options to maintain communication if the current C&C server becomes inactive. Below are the additional C&C servers received from the server: 

  • hxxp://213.255.246[.]209:5055 
  • hxxp://193.181.23[.]70:5055 
  • hxxp://188.241.240[.]75:5055

Commands Executed by malware 

 Once the server generates the bot ID, the Antidot Banking Trojan begins sending bot statistics to the server and receiving commands. During execution, we observed several commands received by the malware, including “sos”, “setSettings,” “getApps,” and “getSMS.” 

Figure 6 – Malware sends bot stats 

Figure 7 – Commands received from the server 

The malware has implemented a total of 35 commands, which we have listed below. 

Command   Description 
speedMod  Updates application scope list 
pauseInject  Updates shared preference value with 1 to pause overlay activity 
stopAverlay  Stops overlay activity 
stopCamera  Stops camera 
setInjections  Saves injection overlay data in a hashmap 
unlockDevice  Unlock device 
startSleep  Save parameters related to the sleep feature in shared preference 
sleepNow  Put the device on sleep mode 
onFocus  Increases the brightness of the overlay window 
openApp  Opens application specified by the server 
getSms  Collects SMSs 
callForward  Makes call from infected device 
setSettings  Receives additional C&C server URLs 
offFocus  Reduces the brightness of overlay windows 
deleteApp  Uninstall application 
deleteBot  Uninstall itself 
updateShow  Displays updated content in the WebView 
getApps  Collects installed application package name list 
getKeys  Collects keystrokes 
sos  Prompts the user to uninstall the application 
actionVnc  Receives actions to perform on the infected device 
lockDevice  Locks device 
vncShow  Displays VNC into WebView 
waitBar  Displays waiting bar overlay page 
resumeInject  Resume showing overlay page 
sendPush  Push notification 
sendUssd  Makes USSD service call 
startVnc  Initiates VNC 
treeMode  Sends VNC content 
onScreen  Adds overlay window 
getContacts  Collects contact list 
stopSleep  Wake up the device screen 
stopSound  Mute device 
startCamera  Opens camera and sends captured photo to the C&C server 
sendSms  Sends SMS from an infected device 

Antidot’s VNC Feature 

The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the Command and Control (C&C) server. The malware then initiates the VNC activity when it receives the command “startVNC” from the C&C server. 

Figure 8 – Starts VNC after receiving the command 

Once the screen content is transmitted, the malware can receive the command “actionVNC,” along with the actions to perform on the current display screen of the infected device. Utilizing Accessibility service methods, the malware executes these actions as directed. Below is the list of VNC actions received from the server: 

Action  Description 
tap  Dispatch tap gesture 
swipe  Makes swipe gesture 
global-recent  Shows overview of recent apps 
global-home  Execute action go home 
global-back  Performs go back action 
global-bar  Executes this action to open the notification 
global-power  Opens power long press dialog 
scroll-up  Dispatch gesture to scroll up 
scroll-down  Dispatch gesture to scroll down 
swipe-up  Dispatch gesture to swipe up 
swipe-down  Dispatch gesture to swipe down 
swipe-left  Dispatch gesture to swipe left 
makeGesture  Dispatch gesture on x and y coordinates 
textset  Collect text from the clipboard 
unknown  Set text to the clipboard 

Overlay Attack

The overlay attack module of the Antidot malware is akin to that of other well-known banking Trojans such as Ermac, Chameleon, and Brokewell. It employs HTML phishing pages designed to resemble authentic banking or cryptocurrency applications, loading them into WebView and creating an overlay window on the genuine application to capture credentials. 

As mentioned earlier, the malware sends the installed application’s package name list to the C&C server, which will be used to find the targeted application. Once the targeted applications are found on the infected device, the server then sends the command “SetInjections” along with the package name and Base64-encoded HTML injection page URL. 

Figure 9 – Getting injections from the server 

When the malware detects that the victim is using a targeted application by verifying the package name against its injection list, it creates an overlay window over the legitimate application and loads the injection URL into the WebView.

Figure 10 – Overlay attack activity 

Keylogging 

The Antidot Android Banking Trojan has incorporated keylogging alongside its overlay attack to harvest credentials. Whenever a victim initiates typing, the malware produces a “ping message” and transmits the exfiltrated keystrokes using Base64 encoding. To dispatch the stolen key logs, along with a timestamp and application name, the malware employs the “getKeys” command. 
 
The figure below displays an example of the keylogger message sent by the malware.  

Figure 11 – Keylogger message example 

Antidot’s SOS Command 

 Once the malware gains access to the accessibility service, it transmits data concerning the device and the package names of installed applications. If the server determines that the device is not the intended target, it sends the “SOS” command to the malware. This prompts the display of a dialog box, prompting the victim to uninstall the application, and ceases any further command transmission to the bot.

Figure 12 – SOS activity

Conclusion 

The emergence of sophisticated Android Banking Trojans poses a significant threat to users’ security and privacy. Among these, the newly surfaced “Antidot” Banking Trojan stands out for its multifaceted capabilities and stealthy operations. Its utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions.
Analyzing its intricate workings sheds light on the evolving landscape of mobile malware and the ingenuity of cybercriminals. With its multifaceted capabilities, including overlay attacks, keylogging, and VNC features, Antidot poses a significant threat to users’ privacy and financial security. 

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

  • Only install software from official app stores such as the Play Store or the iOS App Store.   
  • It is recommended that connected devices, including PCs, laptops, and mobile devices, use a reputed antivirus and internet security software package.  
  • Use strong passwords and enforce multi-factor authentication wherever possible.   
  • Be careful while opening links received via SMS or emails sent to your mobile device.   
  • Google Play Protect should always be enabled on Android devices.   
  • Be wary of any permissions that you give an application.   
  • Keep devices, operating systems, and applications up to date.  

MITRE ATT&CK® Techniques

Tactic  Technique ID  Procedure 
Defense Evasion (TA0030)  Masquerading: Match Legitimate Name or Location (T1655.001 Malware pretending to be the Google Play Update application 
Defense Evasion (TA0030)  Application Discovery (T1418 Collects installed application package name list to identify target 
Defense Evasion (TA0030)  Virtualization/Sandbox Evasion (T1633 Malware implemented an anti-emulation check, which checks if the debugging is on. 
Defense Evasion (TA0030)  Indicator Removal on Host: Uninstall Malicious Application (T1630.001)   Malware can uninstall itself 
Defense Evasion (TA0030)  Input Injection (T1516 Malware can mimic user interaction, perform clicks and various gestures, and input data 
Collection (TA0035)  Input Capture: Keylogging (T1417.001 Malware can capture keystrokes 
Discovery (TA0032)  Software Discovery (T1418 Malware collects installed application package list 
Discovery (TA0032)  System Information Discovery (T1426 The malware collects basic device information. 
Collection (TA0035)  Screen Capture (T1513 Malware can record screen content 
Collection (TA0035)  Capture Camera (T1512 Malware opens camera and takes pictures 
Collection (TA0035)  Audio Capture (T1429 Malware captures Audio recordings 
Collection (TA0035 )  Call Control (T1616 Malware can make calls 
Collection (TA0035 )  Protected User Data: Call Log (T1636.002 Malware steals call logs 
Collection (TA0035)  Protected User Data: SMS Messages 
(T1636.004
Steals SMSs from the infected device 
Exfiltration (TA0036)  Exfiltration Over C2 Channel (T1646 Sending exfiltrated data over C&C server 

Indicators of Compromise (IOCs)

Indicators  Indicator Type  Description 
a6f6e6fb44626f8e609b3ccb6cbf73318baf01d08ef84720706b205f2864b116 
c48240ce763e07b690e4fe79d6dfe69eeeebf8bd 
ac79187fd3024fb9cb5d1a872461503c 
SHA256 
SHA1 
MD5 
Antidot Android Banking Trojan 
hxxps://wgona[.]click/  URL  C&C server 
7a0664c3a9914531c84d875669f6249b433d09155b1c06ad3654c210a1798ee0 
13479bb7364b710b2bb4a55ded4877d8232c0d90 
0b6f0790c32a16e413c89bf65018ec6d 
SHA256 
SHA1 
MD5 
Antidot Android Banking Trojan 
hxxp://46.228.205[.]159:5055/  URL  C&C server 
9f8a49432e76b9c69d33ea228cc44254bc0a58bfa15eb0c51a302c59db81caa3 
1c1d2fc881ea0565a372f71baf26454756bd3243 588d01860865256c378715ad728757cf 
SHA256 
SHA1 
MD5 
Antidot Android Banking Trojan 
654cfe773e92261a7e2c74f4b16bd36be9286a95840b49139cf18c8d4333345b 
bb2a1b5909f31f1c4d694899d502b1d9f95c66c2 b877636c060e5fb47f467e557acdc9ac 
SHA256 
SHA1 
MD5 
Dropper file hash 
hxxp://213.255.246[.]209:5055 hxxp://193.181.23[.]70:5055 hxxp://188.241.240[.]75:5055  Domain  C&C server 

 

 

The post New Antidot Android Banking Trojan Masquerading as Fake Google Play Updates  appeared first on Cyble.