New Android Trojan Disguised as Google Play Update to Steal Data

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

A new Android banking trojan that’s capable of stealing user credentials and eavesdropping on conversations is impersonating a Google Play update.

The trojan, named Antidot by the threat intelligence company Cyble that first detected it, is capable of performing a long list of functions to access sensitive information.

“The newly surfaced Antidot banking trojan stands out for its multifaceted capabilities and stealthy operations. Its utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions,” Cyble explains.

Once Antidot infects a device, it displays a fake Google Play update page, which is tailored to match the device’s language settings, including English, French, German, Portuguese, Romanian, Russian, and Spanish. This fake page directs victims to the Accessibility settings, deceiving them into granting the malware elevated permissions.

While running in the background, the Antidot trojan establishes communication with a server controlled by attackers. It receives commands that enable it to employ overlay attacks, unlock the device, put the device in sleep mode, manage applications (opening and uninstalling), make phone calls, send SMS messages, gather information, send push notifications, and even use the device’s camera to take photos.

To execute overlay attacks, it sends a list of app package names to its command and control (C&C) server. The server then responds with customized overlays designed for those specific applications. When a user tries to open any of the targeted applications, Antidot generates an overlay window that captures the user’s credentials.

“The Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device. It then encodes this content and transmits it to the command-and-control (C&C) server,” Cyble says.

It can execute USSD requests as well, which could potentially allow it to directly interact with a mobile service provider’s services. This might include checking a device’s balance, recharging an account, or even transferring funds without the user’s consent.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment