May 17, 2024 at 07:48AM
Cyble has discovered a new Android banking trojan named Antidot, capable of stealing user credentials, recording conversations, and conducting overlay attacks to harvest victims’ data. The malware uses various tactics, such as posing as a fake Google Play update to obtain elevated permissions and perform remote control activities. It targets several languages and employs string obfuscation to evade detection.
From the given meeting notes, it is clear that there is a significant concern regarding a newly identified Android banking trojan called Antidot. The trojan has various capabilities, including stealing credentials and conversations, conducting overlay attacks, logging keystrokes, recording the screen, forwarding calls, collecting contacts and SMS messages, locking and unlocking the device, as well as performing USSD requests.
Antidot displays a fake Google Play update page to trick victims into providing elevated permissions. It communicates with an attacker-controlled server to receive commands for multiple actions, including overlay attacks, unlocking the device, pushing notifications, and using the camera to take photos.
Furthermore, the trojan utilizes MediaProjection to capture the display content, encrypts and transmits it to the command-and-control server, and can initiate VNC to transmit the screen content to the attackers for various actions. Antidot also employs overlay attacks using WebView to display HTML phishing pages that impersonate legitimate banking or cryptocurrency applications.
Cyble has highlighted the trojan’s multifaceted capabilities and stealthy operations, emphasizing its targeted approach to evade detection and maximize its reach across different language-speaking regions. It is crucial for the organization to be vigilant and take necessary security measures to protect against this potential threat.
If you need further details or action items based on this information, please feel free to ask.