Cybersecurity researchers have uncovered a highly advanced mobile phishing campaign, also known as "mishing," aimed at spreading an updated version of the Antidot banking trojan.
"The attackers presented themselves as recruiters, luring unsuspecting victims with job offers," stated Vishnu Pratapagiri, a researcher from Zimperium zLabs, in a new report.
During the fake recruitment process, victims are tricked into downloading a malicious app that acts as a dropper. This dropper eventually installs the updated variant of the Antidot Banker on the victim's device. Zimperium has dubbed the new malware version "AppLite Banker," emphasizing its enhanced capabilities. These include extracting unlock PINs, patterns, or passwords, and remotely taking control of infected devices—a feature previously seen in other malware like TrickMo.
The Deceptive Job Offer
The attackers employ social engineering tactics, enticing victims with a lucrative job opportunity boasting a "competitive hourly rate of $25" and excellent career growth potential.
In September 2024, a Reddit post spotted by The Hacker News revealed users receiving emails from a Canadian company named Teximus Technologies. These emails advertised remote customer service agent roles.
Victims who engage with the alleged recruiter are directed to download a malicious Android app from a phishing page under the guise of the recruitment process. This app serves as the initial stage for deploying the main malware onto their devices.
Malware Distribution and Tactics
Zimperium uncovered a network of fraudulent domains distributing malware-laden APK files disguised as employee-customer relationship management (CRM) apps.
The dropper apps use ZIP file manipulation to bypass security measures and evade analysis. They require victims to register an account and subsequently prompt them to install an "app update" for phone security.
"When the user clicks the 'Update' button, a fake Google Play Store icon appears, leading to the installation of the malware," explained Pratapagiri.
The malicious app requests Accessibility Services permissions and exploits them to overlay the screen, enabling harmful activities. These include granting itself permissions and facilitating further attacks.
Advanced Malware Features
The latest Antidot variant supports new commands, such as:
It also hides specific SMS messages, blocks calls from designated numbers, launches fake login pages for 172 banks, cryptocurrency wallets, and social media platforms, and serves malicious overlays. Additional features include keylogging, call forwarding, SMS theft, and Virtual Network Computing (VNC) for remote device control.
The campaign targets users proficient in English, Spanish, French, German, Italian, Portuguese, and Russian.
Call to Action
"Given the malware's advanced capabilities and extensive control over compromised devices, it is imperative to implement proactive and robust protection measures to safeguard users and devices against this and similar threats, preventing data or financial losses," warned Zimperium.
Broader Context
This revelation coincides with Cyfirma’s discovery of an Android malware campaign delivering the SpyNote trojan. The campaign, targeting high-value assets in Southern Asia, highlights threat actors' ongoing preference for publicly available tools to attack high-profile individuals.
"The continued use of SpyNote is notable, as it highlights the threat actors' preference for leveraging this tool to target high-profile individuals despite being publicly available on various underground forums and Telegram channels," Cyfirma noted.
© 2016 - 2025 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067