{
	"id": "8a26652e-c9a2-43d7-add3-1d91af140813",
	"created_at": "2026-04-06T00:10:10.901058Z",
	"updated_at": "2026-04-10T03:30:33.810265Z",
	"deleted_at": null,
	"sha1_hash": "3b7a70cb9774f04e2725b8e99235b985e158860f",
	"title": "New Antidot Trojan Disguised As Fake Google Play Updates",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1556193,
	"plain_text": "New Antidot Trojan Disguised As Fake Google Play Updates\r\nPublished: 2024-05-16 · Archived: 2026-04-05 13:22:53 UTC\r\nKey Takeaways \r\nA new Android Banking Trojan, “Antidot,” masquerading as a Google Play update application, displays fake\r\nGoogle Play update pages in multiple languages, indicating a wide range of targets.  \r\nAntidot incorporates a range of malicious features, including overlay attacks and keylogging, allowing it to\r\ncompromise devices and harvest sensitive information. \r\nAntidot maintains communication with its Command and Control (C\u0026C) server through WebSocket,\r\nenabling real-time, bidirectional interaction for executing commands. \r\nThe malware executes a wide range of commands received from the C\u0026C server, including collecting SMS\r\nmessages, initiating USSD requests, and even remotely controlling device features such as the camera and\r\nscreen lock. \r\nAntidot implemented VNC using MediaProjection to remotely control infected devices. \r\nOverview \r\nIn April, Cyble Research and Intelligence Labs (CRIL) released a detailed analysis of a newly surfaced Android\r\nBanking Trojan named Brokewell, created by malware developer Baron Samedit and capable of taking over\r\ndevices.  \r\nRecently, we’ve discovered another new Android Banking Trojan, “Antidot,” initially spotted on May 06, 2024\r\n(a6f6e6fb44626f8e609b3ccb6cbf73318baf01d08ef84720706b205f2864b116). This Trojan leverages overlay\r\nattacks as its primary method for gathering credentials. \r\nThis malware incorporates several features, including: \r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 1 of 12\n\nVNC \r\nKeylogging \r\nOverlay attack \r\nScreen recording \r\nCall forwarding \r\nCollecting contacts and SMSs \r\nPerforming USSD requests \r\nLocking and unlocking the device \r\nWe’re referring to this Android Banking Trojan known as “Antidot,” identified by the presence of the string\r\n“Antidot” within its source code, utilized for logging across different classes. This malware employs a custom\r\nencryption code for string obfuscation, along with gibberish class names, making analysis more challenging. \r\nFigure 1 – Mentions of “Antidot” strings in malware source code \r\nThe malware masquerades as a Google Play update application, displaying a counterfeit Google Play update page\r\nupon installation. Our observations reveal that this fake update page has been crafted in various languages,\r\nincluding German, French, Spanish, Russian, Portuguese, Romanian, and English. This indicates that the malware\r\nis targeting Android users in these language-speaking regions. \r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 2 of 12\n\nFigure 2 – Fake update pages crafted in different languages\r\nThe next section presents a detailed technical analysis of the Antidot Android Banking Trojan. \r\nTechnical Details \r\nAs previously mentioned, after installation, the malware displays a fake update page featuring a “Continue” button\r\nthat redirects the user to the Accessibility settings. Like other Android Banking Trojans, Antidot also relies on the\r\nAccessibility service to carry out its malicious activities. \r\nFigure 3 – Antidot prompting user to grant Accessibility permission \r\nCommand and Control server communication \r\nIn the background, the malware initiates communication with its Command and Control (C\u0026C) server at\r\n“hxxp://46[.]228.205.159:5055/”. In addition to the HTTP connection, the Antidot Banking Trojan establishes\r\nWebSocket communication using the socket.io library, which enables real-time, bi-directional communication\r\nbetween the server and client. The malware maintains this communication through “ping” and “pong” messages. \r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 3 of 12\n\nFrom the client side, the malware uses the “ping” message and sends Base64 encoded data. An example of a ping\r\nmessage sent by the client is shown below: \r\n42[“ping”,”1715751904″,”WyJyZXNTY3JlZW4iLCIxMDgwIiwiMTkyMCJd\\n”] \r\nFrom the server side, the malware receives “pong” messages containing plain text data. These pong messages\r\ntypically include commands that the server wants to execute. An example of a pong message received from the\r\nserver is: \r\n42[“pong”,[“sos”,”1″]] \r\nOnce the user grants Accessibility service, the malware sends the first “ping message” to the server along with the\r\nBase64 encoded data, which contains below information:\r\nMalware application name \r\nSDK version \r\nMODEL \r\nMANUFACTURER \r\nLocale (language + country code) \r\nInstalled application package list \r\nFigure 4 – First ping message to the server \r\nAfter receiving the initial ping message, the server responds with a “pong” message that includes the bot ID\r\ngenerated for the infected device, as illustrated in the figure below: \r\nFigure 5 – Pong message with bot ID \r\nDuring communication with the C\u0026C server “hxxp://46[.]228.205.159:5055”, the malware obtains three additional\r\nserver URLs. These can serve as backup options to maintain communication if the current C\u0026C server becomes\r\ninactive. Below are the additional C\u0026C servers received from the server: \r\nhxxp://213.255.246[.]209:5055 \r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 4 of 12\n\nhxxp://193.181.23[.]70:5055 \r\nhxxp://188.241.240[.]75:5055\r\nCommands Executed by malware \r\n Once the server generates the bot ID, the Antidot Banking Trojan begins sending bot statistics to the server and\r\nreceiving commands. During execution, we observed several commands received by the malware, including “sos”,\r\n“setSettings,” “getApps,” and “getSMS.” \r\nFigure 6 – Malware sends bot stats \r\nFigure 7 – Commands received from the server \r\nThe malware has implemented a total of 35 commands, which we have listed below. \r\nCommand   Description \r\nspeedMod  Updates application scope list \r\npauseInject  Updates shared preference value with 1 to pause overlay activity \r\nstopAverlay  Stops overlay activity \r\nstopCamera  Stops camera \r\nsetInjections  Saves injection overlay data in a hashmap \r\nunlockDevice  Unlock device \r\nstartSleep  Save parameters related to the sleep feature in shared preference \r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 5 of 12\n\nsleepNow  Put the device on sleep mode \r\nonFocus  Increases the brightness of the overlay window \r\nopenApp  Opens application specified by the server \r\ngetSms  Collects SMSs \r\ncallForward  Makes call from infected device \r\nsetSettings  Receives additional C\u0026C server URLs \r\noffFocus  Reduces the brightness of overlay windows \r\ndeleteApp  Uninstall application \r\ndeleteBot  Uninstall itself \r\nupdateShow  Displays updated content in the WebView \r\ngetApps  Collects installed application package name list \r\ngetKeys  Collects keystrokes \r\nsos  Prompts the user to uninstall the application \r\nactionVnc  Receives actions to perform on the infected device \r\nlockDevice  Locks device \r\nvncShow  Displays VNC into WebView \r\nwaitBar  Displays waiting bar overlay page \r\nresumeInject  Resume showing overlay page \r\nsendPush  Push notification \r\nsendUssd  Makes USSD service call \r\nstartVnc  Initiates VNC \r\ntreeMode  Sends VNC content \r\nonScreen  Adds overlay window \r\ngetContacts  Collects contact list \r\nstopSleep  Wake up the device screen \r\nstopSound  Mute device \r\nstartCamera  Opens camera and sends captured photo to the C\u0026C server \r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 6 of 12\n\nsendSms  Sends SMS from an infected device \r\nAntidot’s VNC Feature \r\nThe Antidot malware utilizes the MediaProjection feature to capture the display content of the compromised device.\r\nIt then encodes this content and transmits it to the Command and Control (C\u0026C) server. The malware then initiates\r\nthe VNC activity when it receives the command “startVNC” from the C\u0026C server. \r\nFigure 8 – Starts VNC after receiving the command \r\nOnce the screen content is transmitted, the malware can receive the command “actionVNC,” along with the actions\r\nto perform on the current display screen of the infected device. Utilizing Accessibility service methods, the\r\nmalware executes these actions as directed. Below is the list of VNC actions received from the server: \r\nAction  Description \r\ntap  Dispatch tap gesture \r\nswipe  Makes swipe gesture \r\nglobal-recent  Shows overview of recent apps \r\nglobal-home  Execute action go home \r\nglobal-back  Performs go back action \r\nglobal-bar  Executes this action to open the notification \r\nglobal-power  Opens power long press dialog \r\nscroll-up  Dispatch gesture to scroll up \r\nscroll-down  Dispatch gesture to scroll down \r\nswipe-up  Dispatch gesture to swipe up \r\nswipe-down  Dispatch gesture to swipe down \r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 7 of 12\n\nswipe-left  Dispatch gesture to swipe left \r\nmakeGesture  Dispatch gesture on x and y coordinates \r\ntextset  Collect text from the clipboard \r\nunknown  Set text to the clipboard \r\nOverlay Attack\r\nThe overlay attack module of the Antidot malware is akin to that of other well-known banking Trojans such as\r\nErmac, Chameleon, and Brokewell. It employs HTML phishing pages designed to resemble authentic banking or\r\ncryptocurrency applications, loading them into WebView and creating an overlay window on the genuine\r\napplication to capture credentials. \r\nAs mentioned earlier, the malware sends the installed application’s package name list to the C\u0026C server, which will\r\nbe used to find the targeted application. Once the targeted applications are found on the infected device, the server\r\nthen sends the command “SetInjections” along with the package name and Base64-encoded HTML injection page\r\nURL. \r\nFigure 9 – Getting injections from the server \r\nWhen the malware detects that the victim is using a targeted application by verifying the package name against its\r\ninjection list, it creates an overlay window over the legitimate application and loads the injection URL into the\r\nWebView.\r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 8 of 12\n\nFigure 10 – Overlay attack activity \r\nKeylogging \r\nThe Antidot Android Banking Trojan has incorporated keylogging alongside its overlay attack to harvest\r\ncredentials. Whenever a victim initiates typing, the malware produces a “ping message” and transmits the\r\nexfiltrated keystrokes using Base64 encoding. To dispatch the stolen key logs, along with a timestamp and\r\napplication name, the malware employs the “getKeys” command. \r\n The figure below displays an example of the keylogger message sent by the malware.  \r\nFigure 11 – Keylogger message example \r\nAntidot’s SOS Command \r\n Once the malware gains access to the accessibility service, it transmits data concerning the device and the package\r\nnames of installed applications. If the server determines that the device is not the intended target, it sends the\r\n“SOS” command to the malware. This prompts the display of a dialog box, prompting the victim to uninstall the\r\napplication, and ceases any further command transmission to the bot.\r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 9 of 12\n\nFigure 12 – SOS activity\r\nConclusion \r\nThe emergence of sophisticated Android Banking Trojans poses a significant threat to users’ security and privacy.\r\nAmong these, the newly surfaced “Antidot” Banking Trojan stands out for its multifaceted capabilities and stealthy\r\noperations. Its utilization of string obfuscation, encryption, and strategic deployment of fake update pages\r\ndemonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions.\r\nAnalyzing its intricate workings sheds light on the evolving landscape of mobile malware and the ingenuity of\r\ncybercriminals. With its multifaceted capabilities, including overlay attacks, keylogging, and VNC features, Antidot\r\nposes a significant threat to users’ privacy and financial security. \r\nOur Recommendations\r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:  \r\nOnly install software from official app stores such as the Play Store or the iOS App Store.   \r\nIt is recommended that connected devices, including PCs, laptops, and mobile devices, use a reputed\r\nantivirus and internet security software package.  \r\nUse strong passwords and enforce multi-factor authentication wherever possible.   \r\nBe careful while opening links received via SMS or emails sent to your mobile device.   \r\nGoogle Play Protect should always be enabled on Android devices.   \r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 10 of 12\n\nBe wary of any permissions that you give an application.   \r\nKeep devices, operating systems, and applications up to date.  \r\nMITRE ATT\u0026CK® Techniques\r\nTactic  Technique ID  Procedure \r\nDefense\r\nEvasion\r\n(TA0030) \r\nMasquerading: Match Legitimate\r\nName or Location (T1655.001) \r\nMalware pretending to be the\r\nGoogle Play Update application \r\nDefense\r\nEvasion\r\n(TA0030) \r\nApplication Discovery (T1418) \r\nCollects installed application\r\npackage name list to identify\r\ntarget \r\nDefense\r\nEvasion\r\n(TA0030) \r\nVirtualization/Sandbox Evasion\r\n(T1633) \r\nMalware implemented an anti-emulation check, which checks if\r\nthe debugging is on. \r\nDefense\r\nEvasion\r\n(TA0030) \r\nIndicator Removal on Host: Uninstall\r\nMalicious Application (T1630.001)  \r\nMalware can uninstall itself \r\nDefense\r\nEvasion\r\n(TA0030) \r\nInput Injection (T1516) \r\nMalware can mimic user\r\ninteraction, perform clicks and\r\nvarious gestures, and input data \r\nCollection\r\n(TA0035) \r\nInput Capture: Keylogging\r\n(T1417.001) \r\nMalware can capture keystrokes \r\nDiscovery\r\n(TA0032) \r\nSoftware Discovery (T1418) \r\nMalware collects installed\r\napplication package list \r\nDiscovery\r\n(TA0032) \r\nSystem Information Discovery\r\n(T1426) \r\nThe malware collects basic device\r\ninformation. \r\nCollection\r\n(TA0035) \r\nScreen Capture (T1513) \r\nMalware can record screen\r\ncontent \r\nCollection\r\n(TA0035) \r\nCapture Camera (T1512) \r\nMalware opens camera and takes\r\npictures \r\nCollection\r\n(TA0035) \r\nAudio Capture (T1429) \r\nMalware captures Audio\r\nrecordings \r\nCollection\r\n(TA0035 ) \r\nCall Control (T1616)  Malware can make calls \r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 11 of 12\n\nCollection\r\n(TA0035 ) \r\nProtected User Data: Call Log\r\n(T1636.002) \r\nMalware steals call logs \r\nCollection\r\n(TA0035) \r\nProtected User Data: SMS Messages \r\n(T1636.004) \r\nSteals SMSs from the infected\r\ndevice \r\nExfiltration\r\n(TA0036) \r\nExfiltration Over C2 Channel\r\n(T1646) \r\nSending exfiltrated data over C\u0026C\r\nserver \r\nIndicators of Compromise (IOCs)\r\nIndicators \r\nIndicator\r\nType \r\nDescription \r\na6f6e6fb44626f8e609b3ccb6cbf73318baf01d08ef84720706b205f2864b116 \r\nc48240ce763e07b690e4fe79d6dfe69eeeebf8bd \r\nac79187fd3024fb9cb5d1a872461503c \r\nSHA256 \r\nSHA1 \r\nMD5 \r\nAntidot\r\nAndroid\r\nBanking\r\nTrojan \r\nhxxps://wgona[.]click/  URL  C\u0026C server \r\n7a0664c3a9914531c84d875669f6249b433d09155b1c06ad3654c210a1798ee0\r\n13479bb7364b710b2bb4a55ded4877d8232c0d90 \r\n0b6f0790c32a16e413c89bf65018ec6d \r\nSHA256 \r\nSHA1 \r\nMD5 \r\nAntidot\r\nAndroid\r\nBanking\r\nTrojan \r\nhxxp://46.228.205[.]159:5055/  URL  C\u0026C server \r\n9f8a49432e76b9c69d33ea228cc44254bc0a58bfa15eb0c51a302c59db81caa3 \r\n1c1d2fc881ea0565a372f71baf26454756bd3243 \r\n588d01860865256c378715ad728757cf \r\nSHA256 \r\nSHA1 \r\nMD5 \r\nAntidot\r\nAndroid\r\nBanking\r\nTrojan \r\n654cfe773e92261a7e2c74f4b16bd36be9286a95840b49139cf18c8d4333345b \r\nbb2a1b5909f31f1c4d694899d502b1d9f95c66c2 \r\nb877636c060e5fb47f467e557acdc9ac \r\nSHA256 \r\nSHA1 \r\nMD5 \r\nDropper file\r\nhash \r\nhxxp://213.255.246[.]209:5055 \r\nhxxp://193.181.23[.]70:5055 \r\nhxxp://188.241.240[.]75:5055 \r\nDomain  C\u0026C server \r\nSource: https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nhttps://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/"
	],
	"report_names": [
		"new-antidot-android-banking-trojan-masquerading-as-google-play-updates"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434210,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b7a70cb9774f04e2725b8e99235b985e158860f.pdf",
		"text": "https://archive.orkl.eu/3b7a70cb9774f04e2725b8e99235b985e158860f.txt",
		"img": "https://archive.orkl.eu/3b7a70cb9774f04e2725b8e99235b985e158860f.jpg"
	}
}