Surge in Android Malware Targets Devices through Overlay Attacks, Virtualization Exploits, and NFC Theft

Cybersecurity researchers have identified and analyzed an Android malware known as AntiDot, which has compromised over 3,775 devices across 273 distinct campaigns. Operated by the financially motivated threat actor LARVA-398, AntiDot is marketed as Malware-as-a-Service (MaaS) on underground forums, facilitating an array of malicious mobile activities.

AntiDot is coined as a “three-in-one” solution, offering capabilities to record device screens, intercept SMS messages, and extract sensitive information from third-party applications. The botnet has been delivered primarily through malicious advertising networks and targeted phishing campaigns that focus on victims based on their language and geographical location.

Initially documented in May 2024, AntiDot was found to be distributed under the guise of Google Play updates, intending to facilitate information theft. Similar to other Android trojans, it can conduct overlay attacks, log keystrokes, and remotely control infected devices via the MediaProjection API. The malware establishes a WebSocket for real-time communication between the infected device and external servers.

In December 2024, Zimperium revealed an updated version of AntiDot, named AppLite Banker, which was distributed via job offer-themed phishing campaigns. Current investigations indicate that at least 11 active command-and-control (C2) servers are managing the dissemination of AntiDot across numerous devices.

AntiDot is fundamentally a Java-based malware, employing advanced obfuscation techniques to evade detection, usually utilizing a commercial packer. The delivery mechanism encompasses a three-stage process that initiates through an APK file. An inspection of the AndroidManifest file indicates that many class names are obscured, with critical classes dynamically loaded during installation, which are then populated with malicious code extracted from an encrypted file. This methodology is specifically designed to circumvent antivirus detection.

Upon execution, AntiDot prompts the user with a deceptive update interface and solicits accessibility permissions before unpacking and activating a DEX file containing the botnet functionalities. A distinguishing feature of this malware is its monitoring of newly launched applications, where it serves fraudulent login screens when the user accesses cryptocurrency or payment apps of interest to the attackers.

The malware exploits accessibility services to gather information on active screen contents and sets itself as the default SMS application to capture incoming and outgoing messages. Furthermore, AntiDot has capabilities to monitor phone calls, block certain numbers, or redirect them, thereby broadening its avenues for fraudulent activities.

The C2 panel that oversees the malware is constructed on MeteorJS, an open-source JavaScript framework, providing real-time communication capabilities. The panel encompasses six tabs displaying functionalities such as compromised devices, target apps for overlay injections, analytics regarding installed applications, core settings, infrastructure management, and user support.

PRODAFT has described AntiDot as a sophisticated and evasive MaaS platform tailored for monetary gain, particularly in localized and language-specific markets. The malware implementation incorporates overlay attacks and WebView injections to pilfer user credentials, representing a significant threat to device security and user privacy.

In addition to AntiDot, researchers have noted the evolution of the GodFather Android banking trojan, which utilizes on-device virtualization to hijack legitimate mobile banking and cryptocurrency applications. This advanced method allows the malware to create an isolated virtual environment on the victim’s device, monitoring user activities and potentially stealing sensitive data such as device lock credentials, regardless of the security mechanisms in place.

Moreover, the emergence of SuperCard X malware targeting Russian users marks a concerning trend in NFC relay attacks for fraudulent transactions. This malware acts as a malevolent modification of the legitimate NFCGate tool, enabling attackers to intercept NFC communications and extract bank card data.

Adverse findings also extend to malicious applications identified on official app stores, capable of harvesting personal information and phishing for cryptocurrency wallet credentials. One such application, RapiPlata, has been identified as a spyware application masquerading as a loan service, extensively collecting sensitive user data and exploiting it for extortion.

As these threats continue to evolve, a robust response mechanism beyond mere user awareness and reactive patching is imperative for securing mobile ecosystems against these sophisticated adversaries. Stakeholders in the cybersecurity landscape are urged to adopt proactive defense strategies to counteract the potential threats posed by malware like AntiDot, GodFather, and SuperCard X.