Cybersecurity researchers have exposed the inner workings of an Android malware called AntiDot that has compromised over 3,775 devices as part of 273 unique campaigns.
"Operated by the financially motivated threat actor LARVA-398, AntiDot is actively sold as a Malware-as-a-Service (MaaS) on underground forums and has been linked to a wide range of mobile campaigns," PRODAFT said in a report shared with The Hacker News.
AntiDot is advertised as a "three-in-one" solution with capabilities to record the device screen by abusing Android's accessibility services, intercept SMS messages, and extract sensitive data from third-party applications.
The Android botnet is suspected to be delivered via malicious advertising networks or through highly tailored phishing campaigns based on activity that indicates selective targeting of victims based on language and geographic location.
AntiDot was first publicly documented in May 2024 after it was spotted being distributed as Google Play updates to accomplish its information theft objectives.
Like other Android trojans, it features a wide range of capabilities to conduct overlay attacks, log keystrokes, and remotely control infected devices using Android's MediaProjection API. It also establishes a WebSocket communication to facilitate real-time, bi-directional communication between the infected device and an external server.
In December 2024, Zimperium revealed details of a mobile phishing campaign that distributed an updated version of AntiDot dubbed AppLite Banker using job offer-themed decoys.
The latest findings from the Swiss cybersecurity company show that there are at least 11 active command-and-control (C2) servers in operation that are overseeing no less than 3,775 infected devices across 273 distinct campaigns.
A Java-based malware at its core, AntiDot is heavily obfuscated using a commercial packer to sidestep detection and analysis efforts. The malware, per PRODAFT, is delivered as part of a three-stage process that starts with an APK file.
"An inspection of the AndroidManifest file reveals that many class names do not appear in the original APK," the company said. "These missing classes are dynamically loaded by the packer during installation, and include malicious code extracted from an encrypted file. The entire mechanism is intentionally crafted to avoid detection by antivirus tools."
Once launched, it serves a bogus update bar and prompts the victim to grant it accessibility permissions, after which it unpacks and loads a DEX file incorporating the botnet functions.
A core feature of AntiDot is its ability to monitor for newly launched applications and serve and serve a bogus login screen from the C2 server when the victim opens a cryptocurrency- or payment-related app that the operators are interested in.
The malware also abuses accessibility services to gather extensive information about the contents of the active screens and sets itself as the default SMS app for capturing incoming and outgoing texts. Furthermore, it can monitor phone calls, block calls from specific numbers, or redirect them, effectively opening up more avenues for fraud.
Another important feature is that it can keep track of real-time notifications displayed in the device's status bar and takes steps to either dismiss or snooze them in a bid to suppress alerts and avoid alerting the user of suspicious activity.
PRODAFT said the C2 panel that powers the remote control functions is built using MeteorJS, an open-source JavaScript framework that enables real-time communication. The panel has six different tabs -
- Bots, which displays a list of all the compromised devices and their details
- Injects, which displays a list of all target apps for overlay injection and view the overlay template for each inject
- Analytic, which displays a list of applications installed on victim devices and likely used to identify new and popular apps for future targeting
- Settings, which contains the core configuration options for the panel, including updating the injects
- Gates, which is used to manage the infrastructure endpoints that the bots connect to
- Help, which offers support resources for using the malware
"AntiDot represents a scalable and evasive MaaS platform designed for financial gain through persistent control of mobile devices, especially in localized and language-specific regions," the company said. "The malware also employs WebView injection and overlay attacks to steal credentials, making it a serious threat to user privacy and device security."
GodFather Returns
The development as Zimperium zLabs said it uncovered a "sophisticated evolution" of the GodFather Android banking trojan that makes use of on-device virtualization to hijack legitimate mobile banking and cryptocurrency applications and carry out real-time fraud.
"The core of this novel technique is the malware's ability to create a complete, isolated virtual environment on the victim's device. Instead of simply mimicking a login screen, the malware installs a malicious 'host' application that contains a virtualization framework," researchers Fernando Ortega and Vishnu Pratapagiri said.
"This host then downloads and runs a copy of the actual targeted banking or cryptocurrency app within its controlled sandbox."
Should the victim launch the app, they are redirected to the virtual instance, from where their activities are monitored by the threat actors. In addition, the latest version of GodFather packs in features to bypass static analysis tools by making use of ZIP manipulation and filling the AndroidManifest file with irrelevant permissions.
Like in the case of AntiDot, GodFather relies on accessibility services to conduct its information gathering activities and control compromised devices. While Google has enforced security protections that prevent sideloaded apps from enabling accessibility service starting Android 13, a session-based installation approach can get around this safeguard.
The session-based method is used by Android app stores to handle app installation, as do texting apps, mail clients, and browsers when presented with APK files.
Central to the functioning of the malware is its virtualization feature. In the first stage, it collects information about the list of installed apps and checks if it includes any of the predetermined apps it's configured to target.
If matches are found, it extracts relevant information from those apps and then proceeds to install a copy of those apps in a virtual environment inside the dropper app. Thus when the victim attempts to launch the actual banking application on their device, GodFather intercepts the action and opens the virtualized instance instead.
It's worth pointing out that similar virtualization features were previously flagged in another Android malware codenamed FjordPhantom, which was documented by Promon in December 2023. The method represents a paradigm shift in mobile threat capabilities that go beyond the traditional overlay tactic to steal credentials and other sensitive data.
"While this GodFather campaign casts a wide net, targeting nearly 500 applications globally, our analysis reveals that this highly sophisticated virtualization attack is currently focused on a dozen Turkish financial institutions," the company said.
"A particularly alarming capability uncovered in the GodFather malware is its capacity to steal device lock credentials, irrespective of whether the victim uses an unlock pattern, a PIN, or a password. This poses a significant threat to user privacy and device security."
The mobile security company said the abuse of accessibility services is one of the many ways malicious apps can achieve privilege escalation on Android, allowing them to obtain permissions that exceed their functional requirements. These include misuse of Original Equipment Manufacturer (OEM) permissions and security vulnerabilities in pre-installed apps that cannot be removed by users.
"Preventing privilege escalation and securing Android ecosystems against malicious or over-privileged applications requires more than user awareness or reactive patching—it demands proactive, scalable, and intelligent defense mechanisms," security researcher Ziv Zeira said.
SuperCard X Malware Comes to Russia
The findings also follow the first recorded attempts to target Russian users with SuperCard X, a newly emerged Android malware that can conduct near-field communication (NFC) relay attacks for fraudulent transactions.
According to Russian cybersecurity company F6, SuperCard X is a malicious modification of a legitimate tool called NFCGate that can capture or modify NFC traffic. The end goal of the malware is to not only receive NFC traffic from the victim, but also bank card data read by sending commands to its EMV chip.
"This application allows attackers to steal bank card data by intercepting NFC traffic for subsequent theft of money from users' bank accounts," F6 researcher Alexander Koposov said in a report published this week.
Attacks leveraging SuperCard X were first spotted targeting Android users in Italy earlier this year, weaponizing NFC technology to relay data from victims' physical cards to attacker-controlled devices, from where they were used to carry out fraudulent ATM withdrawals or authorize point-of-sale (PoS) payments.
The Chinese-speaking MaaS platform, advertised on Telegram as capable of targeting customers of major banks in the U.S., Australia and Europe, shares substantial code-level overlaps with NGate, an Android malware that has also been found weaponizing NFCGate for malicious purposes in the Czech Republic.
All these campaigns are united by the fact that they rely on smishing techniques to convince a potential victim of the need to install an APK file on the device under the guise of a useful program.
Malicious Apps Spotted on App Stores
While all of the aforementioned malware strains require victims to sideload the apps on their devices, new research has also unearthed malicious apps on the official Google Play Store and Apple's App Store with capabilities to harvest personal information and steal mnemonic phrases associated with cryptocurrency wallets with the goal of draining their assets.
One of the apps in question, RapiPlata, is estimated to have been downloaded around 150,000 times on both Android and iOS devices, underscoring the severity of the threat. The app is a type of malware known as SpyLoan, which lures users by claiming to offer loans at low-interest rates, only to be subjected to extortion, blackmail, and data theft.
"RapiPlata primarily targets Colombian users by promising quick loans," Check Point said. "Beyond its predatory lending practices, the app engages in extensive data theft. The app had extensive access to sensitive user data -- including SMS messages, call logs, calendar events, and installed applications -- even going so far as to upload this data to its servers."
The cryptocurrency wallet phishing apps, on the other hand, have been distributed through compromised developer accounts and serve a phishing page via WebView to obtain the seed phrases.
Although these apps have since been removed from the respective app stores, the danger is that the Android apps could be available for download from third-party websites. Users are advised to exercise caution when downloading financial or loan-related applications.
