New Mobile Phishing Scheme Targets Android Users with Enhanced Antidot Trojan

December 10, 2024

Sophisticated Mishing Campaign Unveiled

Cybersecurity experts have discovered a new mobile phishing (mishing) attack aimed at distributing an advanced version of the Antidot banking malware. This marks the first time such a campaign has been identified by researchers in the field.

You might be interested in: Understanding Phishing Attacks | Cybersecurity Awareness Training CHAPTER 1

How the Attack Works

Vishnu Pratapagiri, a researcher from Zimperium zLabs, explained in a recent study, “The attackers pose as recruiters, enticing victims with fake job offers.” The phishing strategy involves tricking individuals into downloading a malicious app during the fake hiring process. This app acts as a dropper, leading to the installation of the latest Antidot Banker variant on the victim’s Android device.

Details of the AppLite Banker Malware

The upgraded malware, named AppLite Banker by mobile security firms, can remotely control infected phones and steal the PIN, pattern, or password used to unlock them. Similar features were observed in the TrickMo malware.

Social Engineering Tactics

The campaign uses various social engineering methods, often promising a “$25 hourly rate” and good career growth to attract victims. According to a Reddit post uncovered by The Hacker News in September 2024, many users received emails from a fake company called Teximus Technologies, offering remote customer care jobs.

Infection Process

Victims interacting with these fake recruiters are directed to download a harmful Android app from a phishing website. This app serves as the initial stage, enabling the main malware to infect the device.

Zimperium identified a network of fake domains spreading malware-infected APK files disguised as employee CRM applications. To bypass security checks, the dropper apps manipulate ZIP files and prompt users to create an account. They then display a message urging users to update the app to “protect their phone” and advise enabling installations from third-party sources.

“When users click the ‘Update’ button, a fake Google Play Store icon appears, leading to the malware installation,” Pratapagiri added.

Capabilities of the Malicious Software

Like its predecessor, the new malware requests Accessibility Services permissions and abuses them to overlay the device screen and perform harmful actions. These include:

Granting unauthorized rights for additional malicious activities
Launching “Keyboard & Input” settings
Interacting with the lock screen based on the device’s security settings
Waking up the device and dimming the screen
Displaying overlays to steal Google account details
Preventing the malware from being uninstalled

The latest Antidot version also supports new commands, allowing it to:

Hide specific SMS messages
Block calls from selected numbers via a remote server
Open “Manage Default Apps” settings
Provide fake login pages for 172 different financial institutions, cryptocurrency wallets, and social media platforms like Facebook and Telegram

Additional features include keylogging, call forwarding, SMS theft, and remote access through Virtual Network Computing (VNC).

Target Audience

The phishing ads primarily target users who speak English, Spanish, French, German, Italian, Portuguese, and Russian.

Recommendations for Users

Pratapagiri emphasized, “Given the malware’s advanced capabilities and extensive control over compromised devices, it is crucial to implement strong protection measures to defend against this and similar threats to prevent data or financial loss.”

Related Malware Threats

At the same time, Cyfirma reported an Android malware campaign in Southern Asia delivering the SpyNote trojan, targeting high-value assets. No specific threat actors have been identified yet. Cyfirma noted, “The ongoing use of SpyNote shows that attackers prefer this tool to target high-profile individuals, even though it’s available on various underground forums and Telegram channels.”