Application security, Endpoint/Device Security, Malware

Extensive capabilities of Google Play update-masquerading Antidot trojan examined

Trojan horse virus

Threat actors have been distributing the novel Antidot Android banking trojan as fraudulent Google Play updates to facilitate credential compromise and other malicious actions, SecurityWeek reports.

Click for more special coverage

Intrusions commence with the deployment of a fake device language-tailored Google Play update that attempts privilege escalation before the commencement of overlay attacks, device unlocking, app uninstallation, data exfiltration, SMS message delivery, Virtual Network Computing operations, and photo capturing, a report from Cyble revealed.

Attackers could conduct additional compromise through opening notifications and dialogues, making swipe gestures, and interacting with clipboard content through VNC enabled by the Antidot trojan, according to researchers, who also noted the WebView utilization of the trojan's overlay attack module to show banking and cryptocurrency app-spoofing HTML phishing pages.

"[Antidot's] utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions," said Cyble.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.