AntiDot Android Malware

Cybersecurity researchers have pulled back the curtain on AntiDot, a sophisticated piece of Android malware that has infected thousands of devices across hundreds of malicious campaigns. Linked to a threat actor known as LARVA-398, this malware illustrates the growing danger posed by mobile Malware-as-a-Service (MaaS) offerings on the dark web.

A Growing Threat: Scale and Scope of the Attack

AntiDot has been associated with 273 distinct campaigns, compromising over 3,775 Android devices. The campaigns are highly targeted, often based on language and geographic location, suggesting selective victim profiling. The malware is primarily distributed through malicious advertising networks and phishing campaigns, including fake Google Play updates.

MaaS for Mobile: LARVA-398’s Business Model

Marketed as a 'three-in-one' solution, AntiDot is sold on underground forums, providing threat actors with a powerful toolkit for:

• Screen recording via accessibility abuse
• SMS interception
• Data extraction from third-party apps

This commercialization has made it accessible to a wider range of cybercriminals, lowering the barrier for launching advanced mobile attacks.

Advanced Capabilities: What AntiDot Can Do

AntiDot is equipped with a broad range of malicious capabilities that enable attackers to maintain persistent and stealthy control over infected devices. It carries out overlay attacks by displaying fake login screens that convincingly mimic legitimate apps, thereby stealing user credentials. The malware also logs keystrokes and monitors screen content to capture sensitive information. Utilizing Android's MediaProjection API, it can remotely control the device, while maintaining real-time communication with its command-and-control servers through WebSocket connections.

AntiDot abuses accessibility services to gather extensive data from the device and sets itself as the default SMS app to intercept incoming and outgoing messages. Additionally, it manipulates phone calls by blocking or redirecting them and suppresses notifications to avoid alerting the user to any suspicious activity. Together, these features give the attackers comprehensive access and control over the victim's device.

Delivery Chain: A Three-Stage Infection Process

The malware is delivered in a multi-stage format:

Initial APK File – Distributed as part of phishing or fake updates.

Dynamic Class Loading – Obfuscated classes not present in the APK are loaded during installation.

DEX File Execution – After gaining accessibility permissions, the malware unpacks and loads a malicious DEX file containing the botnet code.

AntiDot's use of commercial packers and encrypted payloads significantly hinders detection and reverse engineering.

Bogus Interfaces and Credential Theft

A key AntiDot tactic involves presenting fake login screens when users open cryptocurrency or financial apps. These screens are fetched in real-time from a Command-and-Control (C2) server, allowing attackers to capture sensitive credentials without raising user suspicion.

AntiDot’s C2 Infrastructure: Built for Efficiency

The malware's remote control panel is built on MeteorJS, allowing seamless real-time interaction with infected devices. The panel includes six distinct sections:

• Bots: Displays infected devices and their metadata
• Injects: Lists target apps for overlay attacks and templates
• Analytic: Tracks installed apps to identify trends and future targets
• Settings: Controls injection parameters and malware behavior
• Gates: Manages bot communication endpoints
• Help: Provides user support for malware operators

Localized and Persistent: The Real Danger of AntiDot

AntiDot is more than just another Android trojan, it's a scalable, evasive MaaS platform that focuses on financial fraud through localized targeting. With techniques such as WebView injection, overlay-based credential theft, and real-time C2 communications, it poses a serious threat to user privacy and mobile security.

Researchers warn that AntiDot's growing adoption and evolving tactics highlight the urgent need for enhanced Android security practices, regular updates, and user awareness to combat increasingly stealthy threats like this.