Full Report
Cybersecurity researchers have shed light on a sophisticated mobile phishing (aka mishing) campaign that's designed to distribute an updated version of the Antidot banking trojan. "The attackers presented themselves as recruiters, luring unsuspecting victims with job offers," Zimperium zLabs Vishnu Pratapagiri researcher said in a new report. "As part of their fraudulent hiring process, the
Analysis Summary
# Tool/Technique: AppLite Banker (Antidot Variant)
## Overview
AppLite Banker is a newly identified, updated variant of the Antidot Android banking trojan, distributed via a sophisticated mobile phishing (mishing) campaign that lures victims with fake job offers. Its primary purpose is to steal sensitive information, including unlock credentials, financial details, and gain remote control over infected Android devices.
## Technical Details
- Type: Malware family (Banking Trojan Variant)
- Platform: Android
- Capabilities: Siphoning of unlock PIN/pattern/password, remote device control (via VNC), screen overlay attacks, permission self-granting, SMS interception, call blocking, keylogging.
- First Seen: Information not explicitly stated, but the variant was recently reported.
## MITRE ATT&CK Mapping
Since this is a mobile threat, mappings rely on analogous enterprise techniques, focusing on the device control and credential theft aspects.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Used via mishing/phishing domains)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1027.004 - Image File (Implied by ZIP file manipulation to evade analysis)
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Via lock screen credential siphoning)
- **TA0007 - Discovery**
- T1082 - System Information Discovery (Implied by context gathering)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Credential Harvesting:** Stealing device unlock PIN, pattern, or password.
- **Accessibility Abuse:** Requests and abuses Accessibility Services permissions to overlay screens (e.g., for stealing Google account credentials) and self-grant further permissions.
- **Overlay Attacks:** Serves fake login pages for 172 banks, cryptocurrency wallets, and social media services (Facebook, Telegram).
- **Communication Manipulation:** Hides specific SMS messages and blocks calls from numbers defined by the C2 server.
### Advanced Features
- **Remote Control:** Implements Virtual Network Computing (VNC) functionality for remote interaction with the compromised device.
- **Device State Manipulation:** Ability to wake up the device and reduce the screen brightness to the lowest level.
- **Persistence/Evasion:** Incorporates logic to prevent the malware from being uninstalled.
- **Lateral Movement/Configuration:** Ability to launch "Keyboard & Input" settings and "Manage Default Apps" settings.
- **Dropper Mechanism:** Utilizes a malicious Android application distributed via phishing domains, often using ZIP file manipulation to bypass initial security checks.
## Indicators of Compromise
- File Hashes: [SHA256 references available on the Zimperium GitHub, not explicitly listed in text]
- File Names: Malicious APK files masquerading as Employee/Customer Relationship Management (CRM) apps.
- Registry Keys: [Not applicable for Android]
- Network Indicators: Phony domains used for distributing malware-laced APK files. (Specific domains defanged: *Requires external IOC list*)
- Behavioral Indicators:
- Requesting Accessibility Services permissions.
- Using ZIP file manipulation during initial stages.
- Prompting users to install an "app update" displayed under a fake Google Play Store icon.
## Associated Threat Actors
- Unattributed; the campaign uses social engineering tactics related to Teximus Technologies job offers.
## Detection Methods
- Signature-based detection: Detection of the specific AppLite Banker APK signature.
- Behavioral detection: Monitoring for applications requesting Accessibility Services combined with attempts to overlay login screens or modify system settings (e.g., managing default apps).
- YARA rules: Necessary for detecting strings or binary patterns within the APK files.
## Mitigation Strategies
- **User Education:** Awareness of mishing campaigns and unsolicited job offers requiring application downloads (especially outside official app stores).
- **Security Settings:** Disabling the ability to install Android apps from external sources ("Unknown sources").
- **Permission Scrutiny:** Regularly auditing and disabling Accessibility Services for unverified applications.
- **Endpoint Protection:** Utilizing mobile threat defense (MTD) solutions capable of detecting Accessibility abuse and overlay attacks.
## Related Tools/Techniques
- Antidot Banker (Predecessor)
- TrickMo (Exhibits similar remote control/screen capture capabilities)
- SpyNote (Another Android malware noted in relation to similar targeting regions)