AppLite: A New AntiDot Variant Targeting Mobile Employee Devices

Share this blog

Executive Summary

The zLabs team identified a sophisticated Mishing (mobile-targeted phishing) campaign that delivers malware to the user’s Android mobile device, enabling a broad set of malicious actions including credential theft of banking, cryptocurrency and other critical applications. 

The investigation revealed a network of phishing domains actively distributing a new variant of the Antidot banking trojan. This previously unknown strain builds upon the version discovered by Cyble in May of 2024.

The attackers presented themselves as recruiters, luring victims with job offers. As part of their fraudulent hiring process, the phishing campaign tricks victims into downloading a malicious application that acts as a dropper, eventually installing the updated variant of Antidot on the victim’s device, which we call AppLite Banker.

Beyond its ability to mimic enterprise companies, the Banker also masquerades as Chrome and TikTok apps, demonstrating its wide-ranging target vectors, including full device take-over and application access. The level of access provided the attackers could also include corporate credentials, applications and data if the device was used by the user for remote work/access for their existing employer. 

Distribution Methods

The attackers behind this phishing campaign demonstrated a remarkable level of adaptability, leveraging diverse and sophisticated social engineering strategies to target their victims. A key tactic employed by the attackers involves masquerading as a job recruiter or HR representatives from well-known organizations. Victims are enticed to respond to fraudulent emails, carefully crafted to resemble authentic job offers or requests for additional information. Figure 1 is an example of one of the emails associated with the campaign, identified by the inclusion of a company name previously observed in related campaign activity. 

Fig.1: An example of a phishing email sent by attackers

In a subsequent communication, the threat actors direct victims to download a purported CRM Android application. While appearing legitimate, this application functions as a malicious dropper, facilitating the deployment of the primary payload onto the victim’s device. As depicted below, the malicious site acts as the initial entry point for the attack.

Fig.2: Phishing sites impersonating companies such as Eminic,euskaltel,Shipum

As seen above in Figure 2 several prominent corporations, such as Euskatel, Eminic, Distributel, and Oasis, were used as bait to entice victims. We also identified the attackers targeting other verticals, including educational institutions. Figure 3 illustrates a phishing website impersonating an educational institution, designed to trick users into downloading a malicious APK.

Fig.3: Phishing site targeting students

During the analysis, the team identified a network of malicious domains actively involved in distributing the malicious APKs. It is believed that these domains are propagated primarily through social engineering attacks.

Fig.4: website used to distribute the malwares

Attack Sequence

The diagram below illustrates one of the methods employed to distribute and execute the AppLite malware on the victim’s mobile device throughout the campaign.

Fig.5 Attack sequence
  • Threat actor impersonates HR representatives from well-known companies, crafting emails to appear as legitimate job offers.
  • Victims are redirected to a malicious landing page to continue the application process or schedule an interview.
  • The landing page manipulates victims into downloading and installing a malicious dropper application.
  • Once installed, the dropper delivers the AppLite banking trojan onto the victim’s device, enabling further malicious activity.

Technical Analysis

Bypassing Analysis Tools with Compressed File (ZIP) manipulation

In our previous research (1 & 2), we revealed that a significant number of malware samples utilize obfuscation techniques involving the manipulation of ZIP file structures and Android Manifest files to circumvent detection by security solutions. Malicious actors often employ methods to alter the ZIP format of APK files and the structure of Android Manifest files to render analysis tools ineffective and evade detection. Parsers, if not updated, may fail to correctly process the file, allowing the malware to bypass detection mechanisms and remain installable on targeted devices.

Fig.6: ZIP manipulation

Several samples from this campaign employ a simple ZIP manipulation technique. As shown in Figure 6, they modify the flags by setting Bit 1 in the Flags field of both the File Header and Central Directory Header. This marks the file as encrypted without altering the underlying structure of the ZIP archive. As a result, tools like JADX are unable to process these samples accurately, as they detect the encryption flag and erroneously prompt for a password, preventing the static source code analysis.

Once installed, the malware disguises itself as a legitimate corporate application with the ‘EmployeesCRM’ name shown below.

When first launched, the application presents a login screen to the user (as shown in Figure 7A). Following the instructions on the phishing page, users are tricked into creating a new account. Once the account is created, the app displays an empty dashboard with no functional features. However, on subsequent launches, no matter what credentials are entered, the app forces users to install an “update” (Figure 7B). This so-called “update” is actually AppLite, the new variant of the Antidot banking trojan.

Fig.7 A/B: layout showed on startup and after the login

When the user clicks the “Update” button, a fake Google Play Store icon appears (Figure 8), leading to the installation of the malware. Like its predecessor, this malicious app requests Accessibility Services permissions and abuses them to overlay the device’s screen and carry out harmful activities. These activities include self-granting permissions to facilitate further malicious operations. 

Fig.8: layouts showed to the user after the installation

C&C Communication

After obtaining the required permissions, the malware covertly establishes a connection with its Command and Control (C&C) server using a websocket via the socket.io library. This enables a real-time, bi-directional communication channel between the compromised device and the C&C server, allowing the attacker to maintain control and issue commands.

Fig.8: intercepted websocket communication

Uncovering New Capabilities

In addition to the commands previously detailed by Cyble in their original blog post, the latest variant of the banking malware introduces a range of new commands.

Below is a full list of attacker commands, with the newly added commands highlighted in bold.

CommandsDescription
stopCameraStops the camera
setInjectionsSaves injection overlay data in a hashmap 
openKeyboardsOpens the “Keyboard & Input” settings
unlockDeviceUnlock device 
resetUnlokInteracts with the device lock based on the set value (Pin, Pattern or Password)
onFocusIncreases the brightness of the overlay window 
openAppLaunches the application specified by the server
getSmsCollects SMS messages
callForwardForwards calls from infected device
setSettingsReceives additional C&C server URLs 
offFocusLowers the brightness of overlay windows
wakeUpWakes up the device screen by acquiring a WakeLock
appGuardOffDisable the monitor to prevent the uninstallation of the malware by the user leveraging on Accessibility services capability
brightnessOffSets lowest possible brightness
overlay_0Stops overlay activity 
overlay_1Shows overlay non touchable and non interactable
overlay_2Places a “Loading…” overlay on top of the screen
overlay_3Shows blank black overlay on screen
overlay_4Displays a message “Automatic system updates please wait” on top of the screen.
openProtectOpens the “Verify Apps” security settings within Google Play Store
deleteAppUninstall an application 
deleteBotUninstalls itself from the infected device
getAppsCollects list of installed applications
getGaccCreates a webview with javascript interface to steal google account
getKeysCaptures key strokes 
sosPrompts the user to uninstall the application 
brightnessOnAdjusts the brightness value
actionVncReceives actions to perform on the infected device 
lockDeviceLocks the device
getUnlockShows the unlock overlay received from the server 
hideSmsHides SMS from the default app
openSelectKeyboardOpens the Input Keyboard Settings page
sendPushPush notification 
sendUssdSends a USSD code (Unstructured Supplementary Service Data) to perform actions like balance checks or top-ups.
blockCallsBlocks calls from a list of mobile numbers, received from C2
startVncInitiates VNC 
treeModeSends VNC content 
appGuardOnEnable the monitor to prevent the uninstallation of the malware by the user leveraging on Accessibility services capability
getContactsCollects list of contacts
stopSoundMutes the device
setInjectionSets injection for a received package name, shows overlay on the screen
startCameraOpens camera and sends captured photo to the C&C server 
sendSmsSends SMS from an infected device 
setGaccBehaviour couldn’t be properly determined during this research. 
openDefaultAppsopens the “Manage Default Apps” settings on the device
openSetingsopens the specific app’s settings page, showing details like permissions and storage usage
alertInjectPosts fake login alerts on screen

Stealing Device Lock Credentials

During our analysis of the new variants we discovered a new capability to steal the device’s unlock pattern, PIN or password, enabling attackers to take control even when the device is locked. To capture these credentials, the malware deploys a deceptive overlay mimicking the device’s lock screen. Any entered credentials are intercepted and transmitted to the attacker’s server.

Fig.9: code used by the malware to steal the unlock data

Deceptive Fake logins to overlay pages

Upon receiving this command, the malware displays a deceptive AlertDialog informing the user of a fake update (Figure 10 shows a simulated version of the alert)  and the requirement of a subsequent login, with the intent to track the user into sharing their credentials. The alert is designed to be non-dismissible, forcing the user to click the “Update” button. Once the user clicks on the “Update” button a new overlay is opened and a login form is shown. Under the hood, the malware is actively monitoring the information being entered into the form, capturing the users credentials and relaying the information back to the C&C server. 

While our team couldn’t confirm this behavior through dynamic analysis, evidence suggests that the malware likely injects a server-controlled layout page to facilitate the theft of sensitive data from targeted banking apps. It’s probable that the injected HTML contains a fake login form tailored to harvest credentials for specific services. 

Fig.10: example of the alert showed by the malware

When the overlay is loaded, the malware injects malicious JavaScript into the HTML page. This script systematically scans all input and select elements on the page, intercepting and exfiltrating the victim’s login credentials to the attacker.

Overlay injection technique

Similar to other Android banking trojans, this malware heavily relies on overlay attack techniques to deceive victims into revealing sensitive credentials. Once the user launches a targeted application, the malware retrieves a malicious HTML payload from the C&C server, as shown in Figure 11 and overlays it on the legitimate application’s user interface, effectively creating a convincing and deceptive facade.

Fig.11: some payloads received from the C&C

Our team identified a total of 172 targeted applications, encompassing financial institutions, social media platforms, and cryptocurrency wallets.

Newly added Remote Desktop (VNC) features

The threat actors leverage the MediaProjection API to capture the device’s display, encode the content, and transmit it to a designated Command and Control (C&C) server. Upon receiving the “startVNC” command, the malware initiates Virtual Network Computing (VNC) functionality on the victim’s device. Subsequently, the malware enters a standby mode, awaiting the “actionVNC” command. This command includes specific instructions that enable the attackers, leveraging the Accessibility service, to interact with and control the infected device’s screen.

Automating unlocking lock screen pattern

One of the newly identified capabilities of the malware is its ability to interact with the device’s lock screen. By utilizing the Accessibility Service, the malware locates the lock pattern view com.android.systemui:id/lockPatternView on the screen and divides it into a grid (3×3). It then processes the pattern (represented as a string of numbers), calculates the position of each number on the grid, and calculates the movement path between each number to replicate the pattern. The malware simulates the unlocking process by generating and sending the calculated touch events to the device. This automated sequence enables the malware to unlock the device without requiring any user interaction, even when the device is idle.

Below is the complete list of actions supported from the malware.

ActionDescription
tapDispatch tap gesture 
swipeMakes swipe gesture 
global-recentShows overview of recent apps 
global-homeExecute action go home 
global-backPerforms go back action 
global-barExecutes this action to open the notification
global-powerOpens power long press dialog 
global-lockLocks device screen globally
scroll-upDispatch gesture to scroll up 
scroll-downDispatch gesture to scroll down 
swipe-upDispatch gesture to swipe up 
swipe-rightDispatch gesture to swipe right
swipe-downDispatch gesture to swipe down 
swipe-leftDispatch gesture to swipe left 
makeGestureDispatch gesture on x and y coordinates 
patternautomate the lock pattern
textsetModifies clipboard data and sets on the screen
textgetGets clipboard data and sends to server

Countries and Apps in the crosshairs of AppLite 

The banker malware appears to be specifically designed to target users proficient in English, Spanish, French, German, Italian, Portuguese, and Russian. This assumption is supported by the identification of language-specific code references within the malware, as illustrated in Figure 12.

Figure 12. Targeting speakers across different countries based on the language

The malware primarily targets three categories of applications: banking, cryptocurrency and finance. Our analysis revealed that 95 banking applications, 62 cryptocurrency applications, and 13 additional financial applications were targeted by the malware.

An analysis of the regions in which the targeted banking applications operate indicates that the primary target countries, as found in the Figure below. 

Figure.13: targeted countries based on banking apps

Zimperium vs. Applite

Zimperium’s cutting-edge technology has consistently demonstrated its effectiveness, successfully detecting and neutralizing all malware samples and malicious URLs highlighted in this blog post. This underscores its unique ability to deliver zero-day malware and phishing detection directly on the device, providing unmatched protection against emerging cyber threats.

Given the malware’s advanced capabilities and extensive control over compromised devices, it is imperative to implement proactive and robust protection measures to safeguard users and devices against this and similar threats, preventing data or financial losses. 

Zimperium is uniquely equipped to support enterprises (MTD) and app developers (MAPS) in defending against the constantly evolving threat landscape targeting mobile devices. Powered by our proprietary On-Device Dynamic Detection Engine, both MTD and MAPS products leverage local, on-device advanced machine learning, behavioral analysis and deterministic detection to provide industry leading zero-day protection. This unique capability ensures comprehensive detection and mitigation of threats without impacting user experience or app development timelines.

Zimperium’s detection engine detects 100% of the reported samples, zero day. At the same time, our web content filtering can correctly identify and block traffic to the reported malicious domains, preventing the infection.

MITRE ATT&CK Techniques

To help our customers and the industry understand the impact of this malware, Zimperium has compiled the following table containing the MITRE Tactics and Techniques as reference. 

TacticIDNameDescription
Initial AccessT1660PhishingAdversaries send malicious content to users in order to gain access to their device.
PersistanceT1624.001Event Triggered Execution: Broadcast ReceiversIt creates a broadcast receiver to receive SMS events
Defense EvasionT1655.001Masquerading: Match Legitimate Name or LocationMalware pretending to be the Google Play Update application
T1630.001Indicator Removal on Host: Uninstall Malicious ApplicationMalware can uninstall itself
T1516Input InjectionMalware can mimic user interaction, perform clicks and various gestures, and input data
T1406.002Obfuscated Files or Information: Software PackingIt is using obfuscation and packers (JSONPacker) to conceal its code.
Credential AccessT1414Clipboard DataIt extracts data stored on the clipboard.
T1417.001Input Capture: KeyloggingIt has a keylogger feature
T1417.002Input Capture: GUI Input CaptureIt is able to get the shown UI.
T1517Access NotificationsCan listen to the notifications
DiscoveryT1418Software DiscoveryMalware collects installed application package list
T1426System Information DiscoveryThe malware collects basic device info.
CollectionT1517Access NotificationsIt registers a receiver to monitor incoming SMS messages
T1513Screen CaptureMalware can record screen content
T1512Capture CameraMalware opens camera and takes pictures
T1429Audio CaptureMalware captures Audio recordings
T1616Call ControlMalware can make calls
T1636.002Protected User Data: Call LogMalware steals call logs
T1636.003Protected User Data: Contact ListIt exports the device’s contacts.
T1636.004Protected User Data: SMS MessagesSteals SMSs from the infected device
T1417.001Input Capture: KeyloggingMalware can capture keystrokes
    T1417.002Input Capture: GUI Input CaptureIt is able to get the shown UI.
      T414Clipboard DataIt has the ability to steal data from the clipboard.
      T1616Call ControlTA can make and block call in the device
Command and Control    T1637Dynamic ResolutionIt receives the injected HTML payload endpoint dynamically from the server.
  T1481.002Web Service: Bidirectional CommunicationIt uses websocket communication to poll the TA’s server and get the commands to execute.
Exfiltration    T1646Exfiltration Over C2 ChannelSending exfiltrated data over C&C server
    T1616Call ControlTA can make and block call in the device
Impact    T1516Input InjectionIt displays inject payloads like pattern lock and mimics banking apps login screen through overlay and steal credentials.
    T1582SMS ControlIt can read and send SMS.

Indicator of Compromise:

The IOCs for this campaign can be found on this repository.

A big thanks to Fernando Sanchez Ortega and Rajat Goyal for their help with the data collection and analysis.