A new malware campaign seeks to extract data from users’ bank accounts through phishing pages that open just when the user enters an app on their mobile phone.
The computer security company Cyble claims to have discovered a new Trojan aimed at Android users, whose objective is the theft of banking credentials and which they have named “Antidote”. Hackers have created fake pages that urge you to update the official Android app store, Google Play Store, with which they manage to introduce the Trojan into smartphones.
Once the package is installed on the mobile, a window is shown to the user on the screen that urges them to complete an update to the Play Store, for which it requests access to the device’s Accessibility settings.
In this way, criminals are able to receive information from the device, such as recording keystrokes, locking or unlocking the phone, accessing contacts and SMS, among others. They also use Android’s MediaProjection feature to access screen content with personal information using VNC (Virtual Network Computing).
The way they access confidential content through the phone of those affected is the overlay attack, with which “the malware sends the list of package names of the installed application to the C&C server [Comando y Control], which will be used to find the target application. Once found, the server sends injections that cause the deployment of a fake phishing website when entering the banking application, Cyble indicates.
Other abilities of this malware, initially identified by Cyble on May 6, are screen recording, keylogging, making USSD requests and call forwarding. The malware allows two-way communication between server (scammers) and client (user) through “ping” and “pong” messages.
These phishing pages can more efficiently prevent the user from triggering alarms, since they are displayed just when the user clicks on a legitimate application on their phone. If the landing page created by criminals is realistic enough, this can lead to a fairly successful scam.
Aimed at various regions
The countries towards which cybercriminals have directed their campaign are those that speak Spanish, German, Russian, Portuguese, French, Romanian and English, judging by the languages in which the fake update is available.
«The newly emerged banking Trojan “Antidot” stands out for its multifaceted capabilities and stealthy operations. “Its use of string obfuscation, encryption, and strategic deployment of fake update pages demonstrates an approach aimed at evading detection and maximizing its reach in various linguistic-speaking regions,” the cybersecurity company assesses. With its capabilities, “Antidot represents a significant threat to the privacy and financial security of users,” they add.
Among the recommendations to avoid this type of malware, Cyble reminds us of the importance of downloading applications only from official sources, such as the Android Play Store or the Apple App Store, being careful with the permissions granted to the apps and having them activated. the Google Play Protect service on Android devices.
