Cybersecurity experts have revealed the operational details of an Android malware known as AntiDot, which has infected more than 3,775 devices through 273 separate attack campaigns.
"The financially-driven threat group LARVA-398 operates AntiDot, actively marketing it as Malware-as-a-Service on criminal forums and connecting it to numerous mobile attack operations," PRODAFT reported to The Hacker News.
AntiDot markets itself as a comprehensive "three-in-one" package featuring screen recording capabilities through Android accessibility service exploitation, SMS message interception, and sensitive data extraction from installed applications.
Researchers believe this Android botnet spreads through malicious advertising networks or carefully crafted phishing attacks that selectively target victims based on their language and location.
AntiDot first gained public attention in May 2024 when security teams discovered it masquerading as Google Play updates to achieve its data theft goals.
Similar to other Android trojans, it possesses extensive capabilities for conducting overlay attacks, keystroke logging, and remote device control using Android's MediaProjection API. The malware also creates WebSocket connections to enable real-time, two-way communication between compromised devices and external servers.
In December 2024, Zimperium uncovered a mobile phishing operation distributing an enhanced AntiDot variant called AppLite Banker through fake job offer lures.
Recent findings from the Swiss cybersecurity firm indicate at least 11 active command-and-control servers managing no fewer than 3,775 infected devices across 273 individual campaigns.
Built as Java-based malware, AntiDot uses heavy obfuscation through commercial packers to evade detection and analysis attempts. PRODAFT notes the malware deploys through a three-stage process beginning with an APK file.
"Examining the AndroidManifest file shows many class names missing from the original APK," the company explained. "These absent classes load dynamically through the packer during installation, containing malicious code from encrypted files. This entire mechanism deliberately avoids antivirus detection."
After activation, it displays a fake update notification and requests accessibility permissions from victims. Once granted, it unpacks and loads a DEX file containing botnet functionality.
AntiDot's primary feature involves monitoring newly launched applications and presenting fraudulent login screens from the C2 server when victims access cryptocurrency or payment apps of interest to the operators.
The malware exploits accessibility services to collect comprehensive information about active screen content and designates itself as the default SMS application for capturing text messages. Additionally, it can monitor phone calls, block specific numbers, or redirect calls, creating additional fraud opportunities.
Another significant capability involves tracking real-time notifications in the device's status bar and dismissing or snoozing them to suppress alerts and prevent users from detecting suspicious activity.
PRODAFT discovered the C2 panel controlling remote functions uses MeteorJS, an open-source JavaScript framework enabling real-time communication. The panel contains six sections: Bots (displaying compromised device lists), Injects (showing target apps for overlay injection), Analytics (listing installed applications for future targeting), Settings (core configuration options), Gates (infrastructure endpoint management), and Help (support resources).
"AntiDot represents a scalable and evasive MaaS platform designed for financial profit through persistent mobile device control, particularly in localized and language-specific regions," the company stated. "The malware employs WebView injection and overlay attacks for credential theft, creating serious privacy and security threats."
GodFather Banking Trojan Returns with Advanced Features
Separately, Zimperium zLabs discovered a "sophisticated evolution" of the GodFather Android banking trojan utilizing on-device virtualization to compromise legitimate mobile banking and cryptocurrency applications for real-time fraud.
"This novel technique centers on the malware's ability to create complete, isolated virtual environments on victim devices. Rather than simply mimicking login screens, the malware installs a malicious 'host' application containing virtualization frameworks," explained researchers Fernando Ortega and Vishnu Pratapagiri.
"This host downloads and executes copies of actual targeted banking or cryptocurrency apps within controlled sandboxes."
When victims launch applications, they're redirected to virtual instances where threat actors monitor their activities. The latest GodFather version includes features bypassing static analysis tools through ZIP manipulation and filling AndroidManifest files with irrelevant permissions.
Like AntiDot, GodFather relies on accessibility services for information gathering and device control. While Google implemented security protections preventing sideloaded apps from enabling accessibility services starting with Android 13, session-based installation approaches can circumvent these safeguards.
The malware's virtualization feature operates by first collecting information about installed applications and checking for predetermined targets. When matches are found, it extracts relevant information and installs virtual copies within the dropper application. Subsequently, when victims attempt launching actual banking applications, GodFather intercepts these actions and opens virtualized instances instead.
Similar virtualization capabilities previously appeared in FjordPhantom malware, documented by Promon in December 2023. This method represents a significant shift in mobile threat capabilities beyond traditional overlay tactics for stealing credentials and sensitive data.
"While this GodFather campaign targets nearly 500 applications globally, our analysis reveals this highly sophisticated virtualization attack currently focuses on a dozen Turkish financial institutions," the company noted.
"A particularly concerning capability discovered in GodFather malware is its capacity for stealing device lock credentials, regardless of whether victims use unlock patterns, PINs, or passwords. This poses significant threats to user privacy and device security."
SuperCard X Malware Targets Russian Users
The research also follows the first documented attempts targeting Russian users with SuperCard X, a newly emerged Android malware conducting near-field communication (NFC) relay attacks for fraudulent transactions.
Russian cybersecurity company F6 reports SuperCard X as a malicious modification of the legitimate NFCGate tool for capturing or modifying NFC traffic. The malware's objective involves receiving NFC traffic from victims and bank card data through EMV chip commands.
"This application enables attackers to steal bank card data by intercepting NFC traffic for subsequent money theft from users' bank accounts," F6 researcher Alexander Koposov reported this week.
SuperCard X attacks first targeted Italian Android users earlier this year, weaponizing NFC technology to relay data from victims' physical cards to attacker-controlled devices for fraudulent ATM withdrawals or point-of-sale payment authorization.
The Chinese-speaking MaaS platform, advertised on Telegram as capable of targeting major U.S., Australian, and European bank customers, shares substantial code similarities with NGate, an Android malware also weaponizing NFCGate for malicious purposes in the Czech Republic.
All these campaigns unite through smishing techniques convincing potential victims to install APK files disguised as useful programs.
Malicious Apps Infiltrate Official App Stores
While the previously mentioned malware strains require victim sideloading, new research has uncovered malicious applications on Google Play Store and Apple's App Store with capabilities for harvesting personal information and stealing cryptocurrency wallet mnemonic phrases to drain assets.
One application, RapiPlata, was downloaded approximately 150,000 times across Android and iOS devices, highlighting the threat's severity. The app represents SpyLoan malware, which lures users with low-interest loan promises only to subject them to extortion, blackmail, and data theft.
"RapiPlata primarily targets Colombian users by promising quick loans," Check Point stated. "Beyond predatory lending practices, the app conducts extensive data theft. The app accessed sensitive user data including SMS messages, call logs, calendar events, and installed applications, uploading this information to its servers."
The cryptocurrency wallet phishing applications distributed through compromised developer accounts serve phishing pages via WebView to obtain seed phrases.
Although these applications have been removed from respective app stores, Android versions may remain available through third-party marketplaces. Users should exercise caution when downloading financial or loan-related application.
