Threat actors have been distributing the novel Antidot Android banking trojan as fraudulent Google Play updates to facilitate credential compromise and other malicious actions, SecurityWeek reports.
Click for more special coverage
Intrusions commence with the deployment of a fake device language-tailored Google Play update that attempts privilege escalation before the commencement of overlay attacks, device unlocking, app uninstallation, data exfiltration, SMS message delivery, Virtual Network Computing operations, and photo capturing, a report from Cyble revealed.
Attackers could conduct additional compromise through opening notifications and dialogues, making swipe gestures, and interacting with clipboard content through VNC enabled by the Antidot trojan, according to researchers, who also noted the WebView utilization of the trojan's overlay attack module to show banking and cryptocurrency app-spoofing HTML phishing pages.
"[Antidot's] utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions," said Cyble.
