Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices through a mobile-phishing (mishing) campaign, where this variant builds upon the version identified by Cyble in May 2024. 

The attackers leverage social engineering tactics, posing as recruiters offering job opportunities to lure victims. Once a user clicks on a malicious link within the phishing message, they are redirected to a network of phishing domains designed to distribute the AppLite malware. 

Upon successful installation, AppLite grants the attacker a broad range of malicious capabilities on the compromised device, which include credential theft for banking applications, cryptocurrency wallets, and potentially other sensitive applications like social media accounts, email clients, and messaging platforms. 

- Advertisement -

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

By stealing credentials for these accounts, attackers can gain unauthorized access to a user’s financial information, digital assets, and personal communications and potentially even hijack their online identities.

An analysis of the AppLite campaign highlights several key technical points. First, the attackers are leveraging a technique known as domain name generation algorithms (DGA) to dynamically generate phishing domains. 

This makes it difficult for traditional security solutions to block all malicious URLs, as new ones can be created quickly.

To address this challenge, Zimperium’s zLabs researchers leverage machine learning algorithms to detect and block malicious domains associated with DGA-based campaigns. 

The machine learning models are trained on vast datasets of known malicious URLs and are able to identify patterns and characteristics that are indicative of phishing domains, even if they have never been seen before, which allows to provide real-time protection against DGA-based phishing attacks.

Second, the AppLite malware itself is obfuscated to evade detection by static analysis tools, as the malware’s malicious code is hidden or disguised, making it more difficult for security researchers to understand how it works. 

To counter this tactic, they utilize advanced behavioral analysis techniques to detect malicious activities regardless of the obfuscation methods employed by the malware, where behavioral analysis involves monitoring the actions of an application on a device to determine whether it is exhibiting any suspicious or malicious behavior. 

If an application is attempting to steal credentials from other applications or if it is communicating with known command-and-control servers, this would be indicative of malicious intent. 

Finally, the attackers are using a technique known as reflection to inject malicious code into legitimate websites. In a reflection attack, attackers exploit a vulnerability in a website that allows them to inject arbitrary code into the website’s response. 

The injected code can then be used to steal credentials, deliver malware, or perform other malicious actions, while the solution defends against reflection-based attacks by inspecting the network traffic for signs of malicious code injection and blocking any attempts to deliver malware through this method. 

Users are able to identify and prevent reflection attacks, even if they are obfuscated or use novel techniques, by conducting an analysis of the traffic on the network to look for suspicious patterns and behaviors.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free