Cybersecurity researchers have shed light on a sophisticated mobile phishing (aka mishing) campaign that’s designed to distribute an updated version of the Antidot banking trojan.
“The attackers presented themselves as recruiters, luring unsuspecting victims with job offers,” Zimperium zLabs Vishnu Pratapagiri researcher said in a new report.
“As part of their fraudulent hiring process, the phishing campaign tricks victims into downloading a malicious application that acts as a dropper, eventually installing the updated variant of Antidot Banker in the victim’s device.”
The new version of the Android malware has been codenamed AppLite Banker by the mobile security company, highlighting its abilities to siphon unlock PIN (or pattern or password) and remotely take control of infected devices, a feature recently also observed in TrickMo.
The attacks employ a variety of social engineering strategies, often luring targets with the prospect of a job opportunity that claims to offer a “competitive hourly rate of $25” and excellent career advancement options.
In a September 2024 post identified by The Hacker News on Reddit, several users said they received emails from a Canadian company named Teximus Technologies about a job offer for a remote customer service agent.
Should the victim engage with the purported recruiter, they are directed to download a malicious Android app from a phishing page as part of the recruitment process, which then acts as a first-stage responsible for facilitating the deployment of the main malware on the device.
Zimperium said it discovered a network of phony domains that are used to distribute the malware-laced APK files that masquerade as employee-customer relationship management (CRM) apps.
The dropper apps, besides employing ZIP file manipulation to evade analysis and bypass security defenses, instruct the victims to register for an account, after which it’s engineered to display a message asking them to install an app update in order to “keep your phone protected.” Furthermore, it advises them to allow the installation of Android apps from external sources.
“When the user clicks the ‘Update’ button, a fake Google Play Store icon appears, leading to the installation of the malware,” Pratapagiri said.
“Like its predecessor, this malicious app requests Accessibility Services permissions and abuses them to overlay the device’s screen and carry out harmful activities. These activities include self-granting permissions to facilitate further malicious operations.”
The newest version of Antidot is packed in support for new commands that allow the operators to launch “Keyboard & Input” settings, interact with the lock screen based on the set value (i.e., PIN, pattern, or password), wake up the device, reduce screen brightness to the lowest level, launch overlays to steal Google account credentials, and even prevent it from being uninstalled.
It also incorporates the ability to hide certain SMS messages, block calls from a predefined set of mobile numbers received from a remote server, launch the “Manage Default Apps” settings, and serve fake login pages for 172 banks, cryptocurrency wallets, and social media services like Facebook and Telegram.
Some of the other known features of the malware include keylogging, call forwarding, SMS theft, and Virtual Network Computing (VNC) functionality to remotely interact with the compromised devices.
Users proficient in languages such as English, Spanish, French, German, Italian, Portuguese, and Russian are said to be the targets of the campaign.
“Given the malware’s advanced capabilities and extensive control over compromised devices, it is imperative to implement proactive and robust protection measures to safeguard users and devices against this and similar threats, preventing data or financial losses.”
The findings come as Cyfirma revealed that high-value assets in Southern Asia have become the target of an Android malware campaign that delivers the SpyNote trojan. The attacks have not been attributed to any known threat actor or group.
“The continued use of SpyNote is notable, as it highlights the threat actors’ preference for leveraging this tool to target high-profile individuals despite being publicly available on various underground forums and telegram channels,” the company said.