In April, Cyble Research and Intelligence Labs (CRIL) released a detailed analysis of a newly surfaced Android Banking Trojan named Brokewell, created by malware developer Baron Samedit and capable of taking over devices.
Recently, we’ve discovered another new Android Banking Trojan, “Antidot,” initially spotted on May 06, 2024 (a6f6e6fb44626f8e609b3ccb6cbf73318baf01d08ef84720706b205f2864b116). This Trojan leverages overlay attacks as its primary method for gathering credentials.
This malware incorporates several features, including:
We’re referring to this Android Banking Trojan known as “Antidot,” identified by the presence of the string “Antidot” within its source code, utilized for logging across different classes. This malware employs a custom encryption code for string obfuscation, along with gibberish class names, making analysis more challenging.
Figure 1 – Mentions of “Antidot” strings in malware source code
The malware masquerades as a Google Play update application, displaying a counterfeit Google Play update page upon installation. Our observations reveal that this fake update page has been crafted in various languages, including German, French, Spanish, Russian, Portuguese, Romanian, and English. This indicates that the malware is targeting Android users in these language-speaking regions.
Figure 2 – Fake update pages crafted in different languages
The next section presents a detailed technical analysis of the Antidot Android Banking Trojan.
As previously mentioned, after installation, the malware displays a fake update page featuring a “Continue” button that redirects the user to the Accessibility settings. Like other Android Banking Trojans, Antidot also relies on the Accessibility service to carry out its malicious activities.
Figure 3 – Antidot prompting user to grant Accessibility permission
In the background, the malware initiates communication with its Command and Control (C&C) server at “hxxp://46[.]228.205.159:5055/”. In addition to the HTTP connection, the Antidot Banking Trojan establishes WebSocket communication using the socket.io library, which enables real-time, bi-directional communication between the server and client. The malware maintains this communication through “ping” and “pong” messages.
From the client side, the malware uses the “ping” message and sends Base64 encoded data. An example of a ping message sent by the client is shown below:
42[“ping”,”1715751904″,”WyJyZXNTY3JlZW4iLCIxMDgwIiwiMTkyMCJd\n”]
From the server side, the malware receives “pong” messages containing plain text data. These pong messages typically include commands that the server wants to execute. An example of a pong message received from the server is:
42[“pong”,[“sos”,”1″]]
Once the user grants Accessibility service, the malware sends the first “ping message” to the server along with the Base64 encoded data, which contains below information:
Figure 4 – First ping message to the server
After receiving the initial ping message, the server responds with a “pong” message that includes the bot ID generated for the infected device, as illustrated in the figure below:
Figure 5 – Pong message with bot ID
During communication with the C&C server “hxxp://46[.]228.205.159:5055”, the malware obtains three additional server URLs. These can serve as backup options to maintain communication if the current C&C server becomes inactive. Below are the additional C&C servers received from the server:
Once the server generates the bot ID, the Antidot Banking Trojan begins sending bot statistics to the server and receiving commands. During execution, we observed several commands received by the malware, including “sos”, “setSettings,” “getApps,” and “getSMS.”
Figure 6 – Malware sends bot stats
Figure 7 – Commands received from the server
The malware has implemented a total of 35 commands, which we have listed below.
Command | Description |
speedMod | Updates application scope list |
pauseInject | Updates shared preference value with 1 to pause overlay activity |
stopAverlay | Stops overlay activity |
stopCamera | Stops camera |
setInjections | Saves injection overlay data in a hashmap |
unlockDevice | Unlock device |
startSleep | Save parameters related to the sleep feature in shared preference |
sleepNow | Put the device on sleep mode |
onFocus | Increases the brightness of the overlay window |
openApp | Opens application specified by the server |
getSms | Collects SMSs |
callForward | Makes call from infected device |
setSettings | Receives additional C&C server URLs |
offFocus | Reduces the brightness of overlay windows |
deleteApp | Uninstall application |
deleteBot | Uninstall itself |
updateShow | Displays updated content in the WebView |
getApps | Collects installed application package name list |
getKeys | Collects keystrokes |
sos | Prompts the user to uninstall the application |
actionVnc | Receives actions to perform on the infected device |
lockDevice | Locks device |
vncShow | Displays VNC into WebView |
waitBar | Displays waiting bar overlay page |
resumeInject | Resume showing overlay page |
sendPush | Push notification |
sendUssd | Makes USSD service call |
startVnc | Initiates VNC |
treeMode | Sends VNC content |
onScreen | Adds overlay window |
getContacts | Collects contact list |
stopSleep | Wake up the device screen |
stopSound | Mute device |
startCamera | Opens camera and sends captured photo to the C&C server |
sendSms | Sends SMS from an infected device |
The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the Command and Control (C&C) server. The malware then initiates the VNC activity when it receives the command “startVNC” from the C&C server.
Figure 8 – Starts VNC after receiving the command
Once the screen content is transmitted, the malware can receive the command “actionVNC,” along with the actions to perform on the current display screen of the infected device. Utilizing Accessibility service methods, the malware executes these actions as directed. Below is the list of VNC actions received from the server:
Action | Description |
tap | Dispatch tap gesture |
swipe | Makes swipe gesture |
global-recent | Shows overview of recent apps |
global-home | Execute action go home |
global-back | Performs go back action |
global-bar | Executes this action to open the notification |
global-power | Opens power long press dialog |
scroll-up | Dispatch gesture to scroll up |
scroll-down | Dispatch gesture to scroll down |
swipe-up | Dispatch gesture to swipe up |
swipe-down | Dispatch gesture to swipe down |
swipe-left | Dispatch gesture to swipe left |
makeGesture | Dispatch gesture on x and y coordinates |
textset | Collect text from the clipboard |
unknown | Set text to the clipboard |
The overlay attack module of the Antidot malware is akin to that of other well-known banking Trojans such as Ermac, Chameleon, and Brokewell. It employs HTML phishing pages designed to resemble authentic banking or cryptocurrency applications, loading them into WebView and creating an overlay window on the genuine application to capture credentials.
As mentioned earlier, the malware sends the installed application’s package name list to the C&C server, which will be used to find the targeted application. Once the targeted applications are found on the infected device, the server then sends the command “SetInjections” along with the package name and Base64-encoded HTML injection page URL.
Figure 9 – Getting injections from the server
When the malware detects that the victim is using a targeted application by verifying the package name against its injection list, it creates an overlay window over the legitimate application and loads the injection URL into the WebView.
Figure 10 – Overlay attack activity
The Antidot Android Banking Trojan has incorporated keylogging alongside its overlay attack to harvest credentials. Whenever a victim initiates typing, the malware produces a “ping message” and transmits the exfiltrated keystrokes using Base64 encoding. To dispatch the stolen key logs, along with a timestamp and application name, the malware employs the “getKeys” command.
The figure below displays an example of the keylogger message sent by the malware.
Figure 11 – Keylogger message example
Once the malware gains access to the accessibility service, it transmits data concerning the device and the package names of installed applications. If the server determines that the device is not the intended target, it sends the “SOS” command to the malware. This prompts the display of a dialog box, prompting the victim to uninstall the application, and ceases any further command transmission to the bot.
Figure 12 – SOS activity
The emergence of sophisticated Android Banking Trojans poses a significant threat to users’ security and privacy. Among these, the newly surfaced “Antidot” Banking Trojan stands out for its multifaceted capabilities and stealthy operations. Its utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions.
Analyzing its intricate workings sheds light on the evolving landscape of mobile malware and the ingenuity of cybercriminals. With its multifaceted capabilities, including overlay attacks, keylogging, and VNC features, Antidot poses a significant threat to users’ privacy and financial security.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
Tactic | Technique ID | Procedure |
Defense Evasion (TA0030) | Masquerading: Match Legitimate Name or Location (T1655.001) | Malware pretending to be the Google Play Update application |
Defense Evasion (TA0030) | Application Discovery (T1418) | Collects installed application package name list to identify target |
Defense Evasion (TA0030) | Virtualization/Sandbox Evasion (T1633) | Malware implemented an anti-emulation check, which checks if the debugging is on. |
Defense Evasion (TA0030) | Indicator Removal on Host: Uninstall Malicious Application (T1630.001) | Malware can uninstall itself |
Defense Evasion (TA0030) | Input Injection (T1516) | Malware can mimic user interaction, perform clicks and various gestures, and input data |
Collection (TA0035) | Input Capture: Keylogging (T1417.001) | Malware can capture keystrokes |
Discovery (TA0032) | Software Discovery (T1418) | Malware collects installed application package list |
Discovery (TA0032) | System Information Discovery (T1426) | The malware collects basic device information. |
Collection (TA0035) | Screen Capture (T1513) | Malware can record screen content |
Collection (TA0035) | Capture Camera (T1512) | Malware opens camera and takes pictures |
Collection (TA0035) | Audio Capture (T1429) | Malware captures Audio recordings |
Collection (TA0035 ) | Call Control (T1616) | Malware can make calls |
Collection (TA0035 ) | Protected User Data: Call Log (T1636.002) | Malware steals call logs |
Collection (TA0035) | Protected User Data: SMS Messages (T1636.004) | Steals SMSs from the infected device |
Exfiltration (TA0036) | Exfiltration Over C2 Channel (T1646) | Sending exfiltrated data over C&C server |
Indicators | Indicator Type | Description |
a6f6e6fb44626f8e609b3ccb6cbf73318baf01d08ef84720706b205f2864b116 c48240ce763e07b690e4fe79d6dfe69eeeebf8bd ac79187fd3024fb9cb5d1a872461503c | SHA256 SHA1 MD5 | Antidot Android Banking Trojan |
hxxps://wgona[.]click/ | URL | C&C server |
7a0664c3a9914531c84d875669f6249b433d09155b1c06ad3654c210a1798ee0 13479bb7364b710b2bb4a55ded4877d8232c0d90 0b6f0790c32a16e413c89bf65018ec6d | SHA256 SHA1 MD5 | Antidot Android Banking Trojan |
hxxp://46.228.205[.]159:5055/ | URL | C&C server |
9f8a49432e76b9c69d33ea228cc44254bc0a58bfa15eb0c51a302c59db81caa3 1c1d2fc881ea0565a372f71baf26454756bd3243 588d01860865256c378715ad728757cf | SHA256 SHA1 MD5 | Antidot Android Banking Trojan |
654cfe773e92261a7e2c74f4b16bd36be9286a95840b49139cf18c8d4333345b bb2a1b5909f31f1c4d694899d502b1d9f95c66c2 b877636c060e5fb47f467e557acdc9ac | SHA256 SHA1 MD5 | Dropper file hash |
hxxp://213.255.246[.]209:5055 hxxp://193.181.23[.]70:5055 hxxp://188.241.240[.]75:5055 | Domain | C&C server |