Thursday, January 23, 2025
HomeAndroidAntidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Published on

SIEM as a Service

Follow Us on Google News

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices through a mobile-phishing (mishing) campaign, where this variant builds upon the version identified by Cyble in May 2024. 

The attackers leverage social engineering tactics, posing as recruiters offering job opportunities to lure victims. Once a user clicks on a malicious link within the phishing message, they are redirected to a network of phishing domains designed to distribute the AppLite malware. 

An example of a phishing email sent by attackers
An example of a phishing email sent by attackers

Upon successful installation, AppLite grants the attacker a broad range of malicious capabilities on the compromised device, which include credential theft for banking applications, cryptocurrency wallets, and potentially other sensitive applications like social media accounts, email clients, and messaging platforms. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

By stealing credentials for these accounts, attackers can gain unauthorized access to a user’s financial information, digital assets, and personal communications and potentially even hijack their online identities.

Targeting speakers across different countries based on the language
Targeting speakers across different countries based on the language

An analysis of the AppLite campaign highlights several key technical points. First, the attackers are leveraging a technique known as domain name generation algorithms (DGA) to dynamically generate phishing domains. 

This makes it difficult for traditional security solutions to block all malicious URLs, as new ones can be created quickly.

To address this challenge, Zimperium’s zLabs researchers leverage machine learning algorithms to detect and block malicious domains associated with DGA-based campaigns. 

website used to distribute the malwares
website used to distribute the malwares

The machine learning models are trained on vast datasets of known malicious URLs and are able to identify patterns and characteristics that are indicative of phishing domains, even if they have never been seen before, which allows to provide real-time protection against DGA-based phishing attacks.

Second, the AppLite malware itself is obfuscated to evade detection by static analysis tools, as the malware’s malicious code is hidden or disguised, making it more difficult for security researchers to understand how it works. 

To counter this tactic, they utilize advanced behavioral analysis techniques to detect malicious activities regardless of the obfuscation methods employed by the malware, where behavioral analysis involves monitoring the actions of an application on a device to determine whether it is exhibiting any suspicious or malicious behavior. 

 intercepted websocket communication
 intercepted websocket communication

If an application is attempting to steal credentials from other applications or if it is communicating with known command-and-control servers, this would be indicative of malicious intent. 

Finally, the attackers are using a technique known as reflection to inject malicious code into legitimate websites. In a reflection attack, attackers exploit a vulnerability in a website that allows them to inject arbitrary code into the website’s response. 

The injected code can then be used to steal credentials, deliver malware, or perform other malicious actions, while the solution defends against reflection-based attacks by inspecting the network traffic for signs of malicious code injection and blocking any attempts to deliver malware through this method. 

Users are able to identify and prevent reflection attacks, even if they are obfuscated or use novel techniques, by conducting an analysis of the traffic on the network to look for suspicious patterns and behaviors.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

Microsoft Unveils New Identity Secure Score Recommendations in General Availability

Microsoft has announced the general availability of 11 new Identity Secure Score recommendations in...