Executive Summary
The zLabs team identified a sophisticated Mishing (mobile-targeted phishing) campaign that delivers malware to the user’s Android mobile device, enabling a broad set of malicious actions including credential theft of banking, cryptocurrency and other critical applications.
The investigation revealed a network of phishing domains actively distributing a new variant of the Antidot banking trojan. This previously unknown strain builds upon the version discovered by Cyble in May of 2024.
The attackers presented themselves as recruiters, luring victims with job offers. As part of their fraudulent hiring process, the phishing campaign tricks victims into downloading a malicious application that acts as a dropper, eventually installing the updated variant of Antidot on the victim’s device, which we call AppLite Banker.
Beyond its ability to mimic enterprise companies, the Banker also masquerades as Chrome and TikTok apps, demonstrating its wide-ranging target vectors, including full device take-over and application access. The level of access provided the attackers could also include corporate credentials, applications and data if the device was used by the user for remote work/access for their existing employer.
Distribution Methods
The attackers behind this phishing campaign demonstrated a remarkable level of adaptability, leveraging diverse and sophisticated social engineering strategies to target their victims. A key tactic employed by the attackers involves masquerading as a job recruiter or HR representatives from well-known organizations. Victims are enticed to respond to fraudulent emails, carefully crafted to resemble authentic job offers or requests for additional information. Figure 1 is an example of one of the emails associated with the campaign, identified by the inclusion of a company name previously observed in related campaign activity.
In a subsequent communication, the threat actors direct victims to download a purported CRM Android application. While appearing legitimate, this application functions as a malicious dropper, facilitating the deployment of the primary payload onto the victim’s device. As depicted below, the malicious site acts as the initial entry point for the attack.
Fig.2: Phishing sites impersonating companies such as Eminic,euskaltel,Shipum
As seen above in Figure 2 several prominent corporations, such as Euskatel, Eminic, Distributel, and Oasis, were used as bait to entice victims. We also identified the attackers targeting other verticals, including educational institutions. Figure 3 illustrates a phishing website impersonating an educational institution, designed to trick users into downloading a malicious APK.
During the analysis, the team identified a network of malicious domains actively involved in distributing the malicious APKs. It is believed that these domains are propagated primarily through social engineering attacks.
Attack Sequence
The diagram below illustrates one of the methods employed to distribute and execute the AppLite malware on the victim’s mobile device throughout the campaign.
- Threat actor impersonates HR representatives from well-known companies, crafting emails to appear as legitimate job offers.
- Victims are redirected to a malicious landing page to continue the application process or schedule an interview.
- The landing page manipulates victims into downloading and installing a malicious dropper application.
- Once installed, the dropper delivers the AppLite banking trojan onto the victim’s device, enabling further malicious activity.
Technical Analysis
Bypassing Analysis Tools with Compressed File (ZIP) manipulation
In our previous research (1 & 2), we revealed that a significant number of malware samples utilize obfuscation techniques involving the manipulation of ZIP file structures and Android Manifest files to circumvent detection by security solutions. Malicious actors often employ methods to alter the ZIP format of APK files and the structure of Android Manifest files to render analysis tools ineffective and evade detection. Parsers, if not updated, may fail to correctly process the file, allowing the malware to bypass detection mechanisms and remain installable on targeted devices.
Several samples from this campaign employ a simple ZIP manipulation technique. As shown in Figure 6, they modify the flags by setting Bit 1 in the Flags field of both the File Header and Central Directory Header. This marks the file as encrypted without altering the underlying structure of the ZIP archive. As a result, tools like JADX are unable to process these samples accurately, as they detect the encryption flag and erroneously prompt for a password, preventing the static source code analysis.
Once installed, the malware disguises itself as a legitimate corporate application with the ‘EmployeesCRM’ name shown below.
When first launched, the application presents a login screen to the user (as shown in Figure 7A). Following the instructions on the phishing page, users are tricked into creating a new account. Once the account is created, the app displays an empty dashboard with no functional features. However, on subsequent launches, no matter what credentials are entered, the app forces users to install an “update” (Figure 7B). This so-called “update” is actually AppLite, the new variant of the Antidot banking trojan.
When the user clicks the “Update” button, a fake Google Play Store icon appears (Figure 8), leading to the installation of the malware. Like its predecessor, this malicious app requests Accessibility Services permissions and abuses them to overlay the device’s screen and carry out harmful activities. These activities include self-granting permissions to facilitate further malicious operations.
C&C Communication
After obtaining the required permissions, the malware covertly establishes a connection with its Command and Control (C&C) server using a websocket via the socket.io library. This enables a real-time, bi-directional communication channel between the compromised device and the C&C server, allowing the attacker to maintain control and issue commands.
Uncovering New Capabilities
In addition to the commands previously detailed by Cyble in their original blog post, the latest variant of the banking malware introduces a range of new commands.
Below is a full list of attacker commands, with the newly added commands highlighted in bold.
Commands | Description |
stopCamera | Stops the camera |
setInjections | Saves injection overlay data in a hashmap |
openKeyboards | Opens the “Keyboard & Input” settings |
unlockDevice | Unlock device |
resetUnlok | Interacts with the device lock based on the set value (Pin, Pattern or Password) |
onFocus | Increases the brightness of the overlay window |
openApp | Launches the application specified by the server |
getSms | Collects SMS messages |
callForward | Forwards calls from infected device |
setSettings | Receives additional C&C server URLs |
offFocus | Lowers the brightness of overlay windows |
wakeUp | Wakes up the device screen by acquiring a WakeLock |
appGuardOff | Disable the monitor to prevent the uninstallation of the malware by the user leveraging on Accessibility services capability |
brightnessOff | Sets lowest possible brightness |
overlay_0 | Stops overlay activity |
overlay_1 | Shows overlay non touchable and non interactable |
overlay_2 | Places a “Loading…” overlay on top of the screen |
overlay_3 | Shows blank black overlay on screen |
overlay_4 | Displays a message “Automatic system updates please wait” on top of the screen. |
openProtect | Opens the “Verify Apps” security settings within Google Play Store |
deleteApp | Uninstall an application |
deleteBot | Uninstalls itself from the infected device |
getApps | Collects list of installed applications |
getGacc | Creates a webview with javascript interface to steal google account |
getKeys | Captures key strokes |
sos | Prompts the user to uninstall the application |
brightnessOn | Adjusts the brightness value |
actionVnc | Receives actions to perform on the infected device |
lockDevice | Locks the device |
getUnlock | Shows the unlock overlay received from the server |
hideSms | Hides SMS from the default app |
openSelectKeyboard | Opens the Input Keyboard Settings page |
sendPush | Push notification |
sendUssd | Sends a USSD code (Unstructured Supplementary Service Data) to perform actions like balance checks or top-ups. |
blockCalls | Blocks calls from a list of mobile numbers, received from C2 |
startVnc | Initiates VNC |
treeMode | Sends VNC content |
appGuardOn | Enable the monitor to prevent the uninstallation of the malware by the user leveraging on Accessibility services capability |
getContacts | Collects list of contacts |
stopSound | Mutes the device |
setInjection | Sets injection for a received package name, shows overlay on the screen |
startCamera | Opens camera and sends captured photo to the C&C server |
sendSms | Sends SMS from an infected device |
setGacc | Behaviour couldn’t be properly determined during this research. |
openDefaultApps | opens the “Manage Default Apps” settings on the device |
openSetings | opens the specific app’s settings page, showing details like permissions and storage usage |
alertInject | Posts fake login alerts on screen |
Stealing Device Lock Credentials
During our analysis of the new variants we discovered a new capability to steal the device’s unlock pattern, PIN or password, enabling attackers to take control even when the device is locked. To capture these credentials, the malware deploys a deceptive overlay mimicking the device’s lock screen. Any entered credentials are intercepted and transmitted to the attacker’s server.
Deceptive Fake logins to overlay pages
Upon receiving this command, the malware displays a deceptive AlertDialog informing the user of a fake update (Figure 10 shows a simulated version of the alert) and the requirement of a subsequent login, with the intent to track the user into sharing their credentials. The alert is designed to be non-dismissible, forcing the user to click the “Update” button. Once the user clicks on the “Update” button a new overlay is opened and a login form is shown. Under the hood, the malware is actively monitoring the information being entered into the form, capturing the users credentials and relaying the information back to the C&C server.
While our team couldn’t confirm this behavior through dynamic analysis, evidence suggests that the malware likely injects a server-controlled layout page to facilitate the theft of sensitive data from targeted banking apps. It’s probable that the injected HTML contains a fake login form tailored to harvest credentials for specific services.
When the overlay is loaded, the malware injects malicious JavaScript into the HTML page. This script systematically scans all input and select elements on the page, intercepting and exfiltrating the victim’s login credentials to the attacker.
Overlay injection technique
Similar to other Android banking trojans, this malware heavily relies on overlay attack techniques to deceive victims into revealing sensitive credentials. Once the user launches a targeted application, the malware retrieves a malicious HTML payload from the C&C server, as shown in Figure 11 and overlays it on the legitimate application’s user interface, effectively creating a convincing and deceptive facade.
Fig.11: some payloads received from the C&C
Our team identified a total of 172 targeted applications, encompassing financial institutions, social media platforms, and cryptocurrency wallets.
Newly added Remote Desktop (VNC) features
The threat actors leverage the MediaProjection API to capture the device’s display, encode the content, and transmit it to a designated Command and Control (C&C) server. Upon receiving the “startVNC” command, the malware initiates Virtual Network Computing (VNC) functionality on the victim’s device. Subsequently, the malware enters a standby mode, awaiting the “actionVNC” command. This command includes specific instructions that enable the attackers, leveraging the Accessibility service, to interact with and control the infected device’s screen.
Automating unlocking lock screen pattern
One of the newly identified capabilities of the malware is its ability to interact with the device’s lock screen. By utilizing the Accessibility Service, the malware locates the lock pattern view com.android.systemui:id/lockPatternView on the screen and divides it into a grid (3×3). It then processes the pattern (represented as a string of numbers), calculates the position of each number on the grid, and calculates the movement path between each number to replicate the pattern. The malware simulates the unlocking process by generating and sending the calculated touch events to the device. This automated sequence enables the malware to unlock the device without requiring any user interaction, even when the device is idle.
Below is the complete list of actions supported from the malware.
Action | Description |
tap | Dispatch tap gesture |
swipe | Makes swipe gesture |
global-recent | Shows overview of recent apps |
global-home | Execute action go home |
global-back | Performs go back action |
global-bar | Executes this action to open the notification |
global-power | Opens power long press dialog |
global-lock | Locks device screen globally |
scroll-up | Dispatch gesture to scroll up |
scroll-down | Dispatch gesture to scroll down |
swipe-up | Dispatch gesture to swipe up |
swipe-right | Dispatch gesture to swipe right |
swipe-down | Dispatch gesture to swipe down |
swipe-left | Dispatch gesture to swipe left |
makeGesture | Dispatch gesture on x and y coordinates |
pattern | automate the lock pattern |
textset | Modifies clipboard data and sets on the screen |
textget | Gets clipboard data and sends to server |
Countries and Apps in the crosshairs of AppLite
The banker malware appears to be specifically designed to target users proficient in English, Spanish, French, German, Italian, Portuguese, and Russian. This assumption is supported by the identification of language-specific code references within the malware, as illustrated in Figure 12.
The malware primarily targets three categories of applications: banking, cryptocurrency and finance. Our analysis revealed that 95 banking applications, 62 cryptocurrency applications, and 13 additional financial applications were targeted by the malware.
An analysis of the regions in which the targeted banking applications operate indicates that the primary target countries, as found in the Figure below.
Zimperium vs. Applite
Zimperium’s cutting-edge technology has consistently demonstrated its effectiveness, successfully detecting and neutralizing all malware samples and malicious URLs highlighted in this blog post. This underscores its unique ability to deliver zero-day malware and phishing detection directly on the device, providing unmatched protection against emerging cyber threats.
Given the malware’s advanced capabilities and extensive control over compromised devices, it is imperative to implement proactive and robust protection measures to safeguard users and devices against this and similar threats, preventing data or financial losses.
Zimperium is uniquely equipped to support enterprises (MTD) and app developers (MAPS) in defending against the constantly evolving threat landscape targeting mobile devices. Powered by our proprietary On-Device Dynamic Detection Engine, both MTD and MAPS products leverage local, on-device advanced machine learning, behavioral analysis and deterministic detection to provide industry leading zero-day protection. This unique capability ensures comprehensive detection and mitigation of threats without impacting user experience or app development timelines.
Zimperium’s detection engine detects 100% of the reported samples, zero day. At the same time, our web content filtering can correctly identify and block traffic to the reported malicious domains, preventing the infection.
MITRE ATT&CK Techniques
To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference.
Tactic | ID | Name | Description |
Initial Access | T1660 | Phishing | Adversaries send malicious content to users in order to gain access to their device. |
Persistance | T1624.001 | Event Triggered Execution: Broadcast Receivers | It creates a broadcast receiver to receive SMS events |
Defense Evasion | T1655.001 | Masquerading: Match Legitimate Name or Location | Malware pretending to be the Google Play Update application |
T1630.001 | Indicator Removal on Host: Uninstall Malicious Application | Malware can uninstall itself | |
T1516 | Input Injection | Malware can mimic user interaction, perform clicks and various gestures, and input data | |
T1406.002 | Obfuscated Files or Information: Software Packing | It is using obfuscation and packers (JSONPacker) to conceal its code. | |
Credential Access | T1414 | Clipboard Data | It extracts data stored on the clipboard. |
T1417.001 | Input Capture: Keylogging | It has a keylogger feature | |
T1417.002 | Input Capture: GUI Input Capture | It is able to get the shown UI. | |
T1517 | Access Notifications | Can listen to the notifications | |
Discovery | T1418 | Software Discovery | Malware collects installed application package list |
T1426 | System Information Discovery | The malware collects basic device info. | |
Collection | T1517 | Access Notifications | It registers a receiver to monitor incoming SMS messages |
T1513 | Screen Capture | Malware can record screen content | |
T1512 | Capture Camera | Malware opens camera and takes pictures | |
T1429 | Audio Capture | Malware captures Audio recordings | |
T1616 | Call Control | Malware can make calls | |
T1636.002 | Protected User Data: Call Log | Malware steals call logs | |
T1636.003 | Protected User Data: Contact List | It exports the device’s contacts. | |
T1636.004 | Protected User Data: SMS Messages | Steals SMSs from the infected device | |
T1417.001 | Input Capture: Keylogging | Malware can capture keystrokes | |
T1417.002 | Input Capture: GUI Input Capture | It is able to get the shown UI. | |
T414 | Clipboard Data | It has the ability to steal data from the clipboard. | |
T1616 | Call Control | TA can make and block call in the device | |
Command and Control | T1637 | Dynamic Resolution | It receives the injected HTML payload endpoint dynamically from the server. |
T1481.002 | Web Service: Bidirectional Communication | It uses websocket communication to poll the TA’s server and get the commands to execute. | |
Exfiltration | T1646 | Exfiltration Over C2 Channel | Sending exfiltrated data over C&C server |
T1616 | Call Control | TA can make and block call in the device | |
Impact | T1516 | Input Injection | It displays inject payloads like pattern lock and mimics banking apps login screen through overlay and steal credentials. |
T1582 | SMS Control | It can read and send SMS. |
Indicator of Compromise:
The IOCs for this campaign can be found on this repository.
A big thanks to Fernando Sanchez Ortega and Rajat Goyal for their help with the data collection and analysis.