Skip to content

A new threat has emerged for Android users: the Antidot Android Banking Trojan. This sophisticated malware, disguised as a Google Play update, is designed to infiltrate devices, steal sensitive information, and execute malicious commands.  

Background on the Antidot Trojan 

Discovered by Cyble Research and Intelligence Labs (CRIL), the Antidot Trojan represents a new wave of mobile malware targeting Android users globally. This banking Trojan masquerades as a Google Play update app, luring unsuspecting users into granting it permissions that enable its malicious activities. 

How the Antidot Trojan Operates 

Infection Method 

The Antidot Trojan begins its attack by presenting a counterfeit Google Play update page upon installation. This fake update page is meticulously crafted in multiple languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English, indicating a broad targeting scope. 

Antidot’s fake update pages crafted in different languages. Source: Cyble 

Malicious Activities 

Once the user grants the necessary permissions, the Trojan sends an initial “ping message” to its command and control (C2) server, transmitting critical information such as: 

  • Malware application name 
  • Software Development Kit (SDK) version 
  • Phone model and manufacturer 
  • Language and country code 
  • Installed application package list 

The Trojan then establishes bi-directional communication with the C2 server via HTTP and WebSocket, enabling real-time interaction between the malware and its operators. This communication channel is used to execute a variety of commands and collect sensitive data. 

Key Features and Tactics 

Antidot incorporates several advanced features to maximise its effectiveness and evade detection: 

  • Overlay Attacks: The Trojan overlays a phishing pages onto legitimate applications, capturing sensitive credentials without the user’s knowledge. 
  • Keylogging: It records keystrokes to harvest additional data. 
  • Virtual Network Computing (VNC): This allows remote control of infected devices, enabling attackers to manipulate device functions and capture screen content. 
  • Data Exfiltration: The malware can exfiltrate SMS messages, contacts, and other sensitive information. 
  • Device Control: It can remotely control device features, including the camera and screen lock, perform USSD requests, and lock/unlock the device. 

Prevention and Mitigation 

To protect against the Antidot Trojan and similar threats, follow these best practices: 

  • Install Software from Official Sources: Only download applications from trusted sources such as the Google Play Store or the Apple App Store. 
  • Use Reputable Security Software: Ensure all devices are protected with up-to-date antivirus and internet security software. 
  • Enable Google Play Protect: This feature helps detect and remove harmful apps from your device. 
  • Be Cautious with Permissions: Be wary of any permissions requested by applications, especially those that seem unnecessary for the app’s functionality. 
  • Exercise Caution with Links: Avoid clicking on links received via SMS or email unless you are certain of their source. 
  • Keep Software Updated: Regularly update your device’s operating system and applications to patch vulnerabilities. 

What to Do if You Are a Victim 

If you suspect that your device has been infected with the Antidot Trojan: 

  1. Disconnect from the Internet: This can help prevent further data exfiltration. 
  2. Run a Security Scan: Use a reputable antivirus application to scan your device and remove any detected malware. 
  3. Change Passwords: Immediately change passwords for any accounts accessed from the infected device. 
  4. Enable Multi-Factor Authentication (MFA): Add an extra layer of security to your accounts. 
  5. Monitor Financial Accounts: Keep a close eye on your bank statements and report any suspicious activity to your bank. 
  6. Seek Professional Help: If you are unable to remove the malware, consider consulting a cyber security professional who specialises in android device analysis. 

For more detailed information and updates on cyber security threats, refer to additional sources: