Antidot is a new Android Banking Trojan that masquerades as a Google Play update, using fake multilingual update pages to target multilingual users. It combines overlay attacks, keylogging, and remote control via a WebSocket-based C2 to harvest credentials and perform extensive device manipulation. Hashtags: #Antidot #BaronSamedit
Keypoints
- Antidot is an Android Banking Trojan disguised as Google Play update software, with fake pages in several languages (German, French, Spanish, Russian, Portuguese, Romanian, English).
- It employs overlay attacks and keylogging to capture credentials and can record the screen or access the device camera and microphone.
- The malware communicates with a C2 server over WebSocket, using ping/pong messages and Base64-encoded data for real-time control.
- Antidot can receive and execute a broad set of commands (35 in total), including collecting SMS, obtaining installed apps, unlocking the device, and starting VNC sessions.
- Accessibility service is leveraged to perform actions on the device, including interacting with the fake update flow and injections.
- The malware uses multiple C2 URLs as backups to maintain communication if the primary server goes down and transmits bot data back to the server.
MITRE Techniques
- [T1655.001] Masquerading – Brief description of how it was used. Quote: ‘Malware masquerading as the Google Play Update application’
- [T1418] Software Discovery – Brief description of how it was used. Quote: ‘Collects installed application package name list to identify target’
- [T1633] Virtualization/Sandbox Evasion – Brief description of how it was used. Quote: ‘anti-emulation check, which checks if the debugging is on.’
- [T1630.001] Indicator Removal on Host: Uninstall Malicious Application – Brief description of how it was used. Quote: ‘Malware can uninstall itself’
- [T1516] Input Injection – Brief description of how it was used. Quote: ‘Malware can mimic user interaction, perform clicks and various gestures, and input data’
- [T1417.001] Input Capture: Keylogging – Brief description of how it was used. Quote: ‘Malware can capture keystrokes’
- [T1426] System Information Discovery – Brief description of how it was used. Quote: ‘The malware collects basic device information.’
- [T1513] Screen Capture – Brief description of how it was used. Quote: ‘Malware can record screen content’
- [T1512] Capture Camera – Brief description of how it was used. Quote: ‘Malware opens camera and takes pictures’
- [T1429] Audio Capture – Brief description of how it was used. Quote: ‘Malware captures Audio recordings’
- [T1616] Call Control – Brief description of how it was used. Quote: ‘Malware can make calls’
- [T1636.004] Protected Data: SMS Messages – Brief description of how it was used. Quote: ‘Steals SMSs from the infected device’
- [T1646] Exfiltration Over C2 Channel – Brief description of how it was used. Quote: ‘Sending exfiltrated data over C2 server’
Indicators of Compromise
- [SHA256] Antidot Android Banking Trojan – a6f6e6fb44626f8e609b3ccb6cbf73318baf01d08ef84720706b205f2864b116, 9f8a49432e76b9c69d33ea228cc44254bc0a58bfa15eb0c51a302c59db81caa3
- [SHA1] Antidot Android Banking Trojan – c48240ce763e07b690e4fe79d6dfe69eeeebf8bd, 7a0664c3a9914531c84d875669f6249b433d09155b1c06ad3654c210a1798ee0
- [MD5] Antidot Android Banking Trojan – ac79187fd3024fb9cb5d1a872461503c, 0b6f0790c32a16e413c89bf65018ec6d
- [URL] C2 server – hxxps://wgona[.]click/, hxxp://46.228.205[.]159:5055/
- [SHA256] Antidot Dropper/Related – 9f8a49432e76b9c69d33ea228cc44254bc0a58bfa15eb0c51a302c59db81caa3, 1c1d2fc881ea0565a372f71baf26454756bd3243
- [Domain] C2 servers – 213.255.246[.]209:5055, 193.181.23[.]70:5055, and 1 more (188.241.240[.]75:5055)
Read more: https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/