AntiDot — Not a Medicine, but a Syringe with Malware: It’s Easy to Install, but Painful to Remove
It all starts with the "Install" button and ends with pleas to reverse everything.The Swiss company PRODAFT has revealed the details of a large-scale malicious campaign involving an Android Trojan called AntiDot. According to experts, the malware has already infected over 3,775 devices in 273 separate attacks and is actively used in schemes aimed at stealing personal and financial information.
The LARVA-398 group, motivated by financial gain, is behind the development and distribution of AntiDot. The malware is distributed through a malware-as-a-service (MaaS) model via shadow online forums and is used in attacks targeting specific countries and language communities. Distribution occurs through malicious ad networks and phishing campaigns with individual targeting.
Key Features of AntiDot
AntiDot is marketed as a universal surveillance tool. It can:- Record the device screen
- Intercept SMS messages
- Collect data from third-party apps
Tactics and Techniques
A unique feature of AntiDot is its use of MediaProjection API and Android's accessibility service, which allows attackers to:- Control the screen
- Perform keystroke logging
- Manage the device remotely
- Track user actions in real-time
When the victim opens cryptocurrency or payment-related apps, AntiDot replaces the real login pages with fake ones, loaded from a command-and-control server. This technique, known as an overlay attack, is used to steal login credentials. Additionally, the Trojan sets itself as the default SMS app, intercepting incoming and outgoing messages, tracking calls, redirecting them, or blocking them based on a blacklist.
AntiDot also monitors system notifications on the device, removing or hiding alerts to prevent the user from noticing suspicious activity. All infected devices are controlled via a C2 panel built on MeteorJS. The panel includes tabs for:
- Analyzing installed apps
- Configuring attacks
- Viewing infected devices
- Managing connection points
- Accessing a built-in help section
Adaptability and Financial Motivation
The platform demonstrates high adaptability and is oriented towards financial gain through sustained control over mobile devices, especially in countries with localized language preferences. Among its features, AntiDot uses WebView injections and mimics the interfaces of banking and payment apps, making it particularly dangerous to users’ privacy.The threat posed by AntiDot underscores the importance of vigilance when installing apps, especially those requesting extensive permissions or coming from unknown sources.
