The Trojan is disguised as official Google Play updates and supports multiple languages such as English, German, French, Spanish, Portuguese, Romanian, and even Russian.
The malicious software is distributed as a Google Play update and appears on the victim’s device as “New Version”. Once installed and launched, the user encounters a fake Google Play page with detailed instructions on how to complete the update.
Upon clicking the “Continue” button, the victim is redirected to set up special Android capabilities where the malicious application requests various permissions, including full screen image access, notifications, and advanced system controls like presses, swipes, and gestures.
After obtaining the necessary permissions, the Trojan sends encoded data to a remote server, including the name of the malicious app, SDK version, smartphone manufacturer, language, country code, and list of installed applications.
The Trojan establishes a connection with a command server via HTTP and utilizes the “SOCKET.IO” library for real-time bilateral communication, enabling continuous server-client connectivity.
Antidot sends statistics to the server and receives commands, supporting 35 functions such as virtual network calculations, keylogging, overlay attacks, screen recording, call interception, contact collection, SMS monitoring, USSD requests, and device blocking/unlocking.
“The use of obfuscation, encryption, and fake update pages demonstrates a targeted approach to evade detection and broaden coverage across various languages,” stated Cyble researchers.
To mitigate this threat, Cyble advises:
- Install mobile software from official app stores like Google Play and App Store
- Use reputable antivirus programs and internet security tools
- Implement strong passwords with multi-factor authentication
- Exercise caution when opening links from SMS or email
- Activate Google Play Protect on Android devices
- Review permissions granted to applications
- Promptly install legitimate updates on devices