A sophisticated new Android botnet malware called AntiDot has emerged as a significant threat to mobile device security, offering cybercriminals unprecedented control over infected devices.<\/p>\n
This malicious software operates as part of a Malware-as-a-Service (MaaS)<\/a> model, marketed by threat actor LARVA-398 on underground forums as a comprehensive \u201c3-in-1\u201d tool that combines its own loader, packer, and botnet infrastructure into a single dangerous package.<\/p>\n The malware represents a concerning evolution in mobile threats, featuring advanced capabilities including screen recording through Android accessibility service abuse, SMS message interception, and systematic harvesting of application logs to exfiltrate sensitive user data.<\/p>\n Campaign activity analysis reveals that threat actors are strategically targeting victims based on specific language preferences and geographic locations, suggesting sophisticated distribution methods likely involving malicious advertising networks and highly tailored phishing campaigns.<\/p>\n Catalyst analysts identified<\/a> that AntiDot\u2019s operational infrastructure currently encompasses at least 11 active command-and-control (C2) servers managing more than 3,775 infected devices across a minimum of 273 distinct campaigns.<\/p>\n Remarkably, none of these C2 servers appear in public threat intelligence<\/a> databases, and the associated domain \u201cgates\u201d remain undetected by most commercial security solutions, highlighting the malware\u2019s sophisticated evasion capabilities.<\/p>\n The threat\u2019s scope extends beyond simple data theft, incorporating interface cloning technologies that enable attackers to create convincing replicas of legitimate applications<\/a>.<\/p>\n This capability allows cybercriminals to conduct overlay attacks specifically targeting cryptocurrency and payment-related applications, though the system supports customizable presets for broader targeting scenarios.<\/p>\n Each C2 server typically manages infections from narrow geographic or linguistic demographics, reinforcing the targeted nature of these operations.<\/p>\n The malware\u2019s distribution strategy appears highly flexible, with campaign identifiers following structured patterns such as \u201c1206tv04\u201d and \u201c13TTPT01,\u201d indicating automated generation systems, while others use arbitrary or themed names potentially reflecting specific lures or geographic targets.<\/p>\n Underground forum discussions suggest some dissatisfaction with LARVA-398\u2019s customer support, particularly regarding compatibility with latest Android versions, though this has not diminished the malware\u2019s operational effectiveness.<\/p>\n AntiDot\u2019s most concerning aspect lies in its sophisticated command and control infrastructure, which utilizes WebSocket protocols for real-time communication between infected devices and operator panels.<\/p>\n The malware<\/a> employs a multi-stage infection process, typically delivered as \u201cUpdate.apk,\u201d which initially displays a deceptive update progress bar while requesting critical accessibility permissions from unsuspecting users.<\/p>\n Once permissions are granted, the malware unpacks and loads encrypted DEX files containing the primary botnet capabilities.<\/p>\n The system uses commercial packers to evade antivirus detection, employing obfuscation techniques that significantly complicate both static and dynamic analysis.<\/p>\n The AndroidManifest inspection reveals that numerous class names are absent from the original APK, as these malicious components are dynamically loaded during installation from encrypted files.<\/p>\n The C2 panel operates through MeteorJS framework, maintaining real-time data feeds through WebSocket connections that enable operators to monitor victim statistics and configure overlay targets dynamically.<\/p>\n This architecture supports an extensive command set including device control functions, application management, SMS manipulation, and sophisticated overlay operations that can mimic legitimate application interfaces to steal credentials and financial information.<\/p>\n The post AntiDot \u2013 3-in-1 Android Malware Let Attackers Full Control of Compromised Devices<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgmnhKTneXwAKZ2Gl425vE1vs0JK15DnBC4fs8DE5juGLqcZMw44Az3npT9b-kGqEa2nj3kXOXCySCPXMosLnIadacTL0wkkWHv7rNTXeM3_cRADjVA6kNGn4T8tXLtzBoITMRUpmT1jWWbCqSwsdq06OgdM3zzdzgnA10gLX58nubiJIyXAI9bdH54ugU\/s16000\/Application%2520requests%2520accessibility%2520permission%2520%28Source%2520-%2520Catalyst%29.webp?ssl=1\")
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiw2umGM4_osW8au-uOUWjkE2fQVgrALXUXGY8h80tMwTs1LDRVu43ihXQ-bggtQXDrEegY62moF491EBenBgrl9yF5_EE9gVn01PwPKjEAR5s8Ed8Wl3mNT0Xa7ZYrBgIAaffw7DR0hjODYfMu81ztDtXRww3xaaShethkyLL3F7EKV0XMUnONGLPLiOo\/s16000\/Example%2520overlay%2520%28Source%2520-%2520Catalyst%29.webp?ssl=1\")
Advanced Command and Control Architecture<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi1qO-kkGdhg1n5XUUPAzi7wv3ibEN0rkiTWvYXOOilFbUcNz1pU9OCxpCLzm-RhGIXK44ZqWkcpjLjyaRUrEMXJAWDT_OYTyGH9-vN0S8Q2WxG5uHwvUNGhM6sx2XSV1IUkBLvXIEXybowzQfE3ZJ4aXcD1vq4xFDMmHOEF-xnMoq6zo4B4l-q6eOJ5qs\/s16000\/Bots%2520page%2520of%2520the%2520panel%2520%28Source%2520-%2520Catalyst%29.webp?ssl=1\")
Are you from SOC\/DFIR Teams! - Interact with malware in the sandbox and find related IOCs. -\u00a0Request 14-day free trial<\/a><\/code><\/strong><\/strong><\/strong><\/p>\n