Updated 5/29/24 at 6:11 p.m. ET with comment from Google representative.
This month, a banking trojan claiming to be an official Google Play Store update wrought havoc on Android users.
The Antidot Android Banking Trojan discovered by Cyble uses VNC (virtual network computing), keylogging, and overlay techniques to steal sensitive information and login credentials from unsuspecting Android owners.
The problem could have been avoided, though. But first, let's get into what happened when the deceptive malware collected bank information from Android users.
How does Antidot work?
As the Cyble report explains, the Antidot software functions using an accessibility feature and then establishes a connection with its command and control server. That server registers the device and identifies target applications. Using an overlay injection, the Antidot software sends a message claiming to be from Google which tells users to update the Google Play Store.
The Antidot software then logs keystrokes and transmits that information to the control server, allowing the trojan to steal sensitive information and login credentials. The software can also access text messages and control the camera and screen lock.
Because the Antidot download is prompted from a false popup message, the Antidot software is sideloaded rather than downloaded directly from the Play Store. This should indicate that the software isn't a legitimate Play Store update.
Other malicious applications are out there
While the Antidot Android Banking Trojan is sideloaded, it may not be the only malicious application targeting Android phones.
According to a new report by Zscaler ThreatLabz, "over 90 malicious applications (have been) uploaded to the Google Play store. These malware-infected applications have collectively garnered over 5.5 million installs."
So Android malware applications are potentially on the rise.
How to stop trojan applications
There is a way to protect yourself from malicious applications like the Antidot Android Banking Trojan.
A spokesperson for Google tells Dark Reading that Google Play Protect can protect against this kind of malware. "Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play."
We reached out to Google for comment and a representative got back to us with the following statement regarding Google Play Protect:
"Google Play Protect checks your apps and devices for malware and harmful behavior -- which would be inclusive of the behavior you listed. Google Play Protect scans 200 billion Android apps daily. Our security protections and machine learning algorithms learn from each app submitted to Google for review and we look at thousands of signals and compare app behavior. Google Play Protect is always improving with each identified app.... Google Play Protect also protects users by automatically removing and disabling apps known to contain this malware on Android devices with Google Play Services."
This suggests that Zscaler's 5.5 million installations figure may not be an accurate account, but Google would not confirm or deny that specific figure.
If you're worried you may have downloaded the Antidot Android Banking Trojan or a similarly malicious application, Google Play Protect rolled out a virus scan function in October. Play Protect's scans will protect against malware pushed to the Google Play store or sideloaded as an APK like the Antidot trojan.
