Full Report
Cybersecurity researchers have exposed the inner workings of an Android malware called AntiDot that has compromised over 3,775 devices as part of 273 unique campaigns. "Operated by the financially motivated threat actor LARVA-398, AntiDot is actively sold as a Malware-as-a-Service (MaaS) on underground forums and has been linked to a wide range of mobile campaigns," PRODAFT said in a report
Analysis Summary
# Threat Actor: LARVA-398 (Operating AntiDot MaaS)
## Attribution & Identity
* **Primary Identity:** Financially motivated threat actor known as LARVA-398.
* **Associated Groups/Services:** Operates the Malware-as-a-Service (MaaS) platform using the Android malware strain **AntiDot**.
* **Aliases:** None explicitly mentioned for the operator, but the malware has an evolved variant named **AppLite Banker**.
## Activity Summary
* **Campaign Scope:** Responsible for operating AntiDot, which has compromised over 3,775 devices across 273 unique campaigns.
* **MaaS Operation:** AntiDot is actively sold on underground forums as a subscription service.
* **Historical Campaigns:**
* Initially documented in May 2024, distributed as malicious Google Play updates to steal information.
* In December 2024, a variation called AppLite Banker was distributed via mobile phishing campaigns using job offer-themed decoys.
* **Current State:** At least 11 active Command-and-Control (C2) servers identified overseeing the infected devices.
## Tactics, Techniques & Procedures
* **Delivery/Initial Access:** Delivery via malicious advertising networks or highly tailored phishing campaigns. The malware disguises itself as legitimate Google Play updates or job offers.
* **Evasion & Obfuscation:** The Java-based malware is heavily obfuscated using a commercial packer to evade detection. Malicious code classes are dynamically loaded from an encrypted file during installation to bypass AV tools (Three-stage delivery process).
* **Privilege Escalation:** Prompts victims to grant Accessibility Service permissions after launching, often displaying a bogus update bar first.
* **Core Capabilities:**
* Screen recording via abuse of Android's accessibility services (and MediaProjection API).
* SMS interception and setting self as the default SMS app.
* Data extraction from third-party applications.
* Overlay attacks and WebView injection to steal credentials from cryptocurrency/payment apps.
* Keystroke logging.
* Call monitoring, call blocking, or call redirection.
* Real-time notification monitoring (dismissing or snoozing alerts to suppress user suspicion).
* **C2/Communication:** Establishes WebSocket communication for real-time, bi-directional connection.
* **MITRE ATT&CK IDs:** (No specific IDs were provided in the source text, but key areas map to **T1436** - Steal Application Access Token, **T1431** - Input Capture, **T1410** - Screen Capture).
## Targeting
* **Sectors:** Finance/Payment applications are explicitly targeted (cryptocurrency and payment-related apps).
* **Geography:** Targeting appears selective based on language and geographic location, with one noted campaign specifically targeting **Colombian users** (via the SpyLoan context being adjacent, but the tailoring of AntiDot suggests regional focus).
* **Victims:** Over 3,775 infected devices globally. Campaigns include job offer lures and bogus Google Play updates.
## Tools & Infrastructure
* **Malware Families Used:** AntiDot (core framework), AppLite Banker (variant).
* **Infrastructure:**
* C2 Panel built using **MeteorJS** (an open-source JavaScript framework allowing real-time communication).
* The C2 panel features modules for managing bots, defining overlay injects, analyzing installed apps, configuring settings, and managing infrastructure endpoints ("Gates").
## Implications
AntiDot represents a mature, scalable, and evasive Malware-as-a-Service (MaaS) platform focused purely on financial gain through comprehensive remote control and persistent data theft on Android mobile devices. Its heavy obfuscation, use of legitimate APIs like Accessibility Services for malicious purposes, and real-time communication capabilities make it a significant and adaptive threat to mobile users and financial institutions.
## Mitigations
* Users should be wary of unexpected "updates" or urgent prompts for accessibility permissions, especially outside official app stores.
* Organizations should educate users about phishing lures, particularly job-offer themed templates, used for sideloading APKs.
* Monitor for devices that suddenly set themselves as the default SMS application.
* Employ Mobile Threat Defense (MTD) solutions capable of detecting dynamic loading/unpacking behavior associated with commercial packers.