You might want to avoid updating Google Play when prodded
What's the oldest trick in the book to get people to do something they might not otherwise do? Pretend to be someone you are not. That's exactly what the Antidot banking trojan is doing. To lure Android users into downloading it, it's masquerading as a Google Play update application.
While it's generally recommended that you keep your phone and your apps up to date, you must be very vigilant when downloading an update and not fall for a fake update warning, which may come from cybercriminals like the ones behind Antidot.
Security researchers at Cyble (via Tom's Guide) first came across Antidot on May 6. It's a banking trojan, crafted to gain access to your financial accounts to steal funds.
Once you download the Google Play Update app, a fake update page with a "Continue" button is displayed on the screen. The page will use German, French, Spanish, Russian, Portuguese, Romanian, or English, depending on where you live.
The app also establishes a connection with the Command and Control (C&C) server and maintains a real-time, bidirectional interaction with it to carry out its operations.
It places a fake window on top of legitimate financial apps - which is what we call an overlay attack - to siphon off your credentials. This information can be used to gain access to your bank account or cryptocurrency apps.
It's also capable of keylogging, screen recording, call forwarding, copying contacts, reading your SMSs, locking and unlocking your device, and sending USSD requests (quick codes for requesting services like balance inquiry).
In short, this malware is capable of taking full control of your Android device and what makes it really dangerous is that it's good at hiding its presence.
To avoid falling prey to such threats, only download apps from trusted sources, though that alone is not enough to keep you protected. You should also be careful when opening links sent to you by unknown or untrustworthy contacts and be wary of granting unnecessary permissions to apps.
While it's generally recommended that you keep your phone and your apps up to date, you must be very vigilant when downloading an update and not fall for a fake update warning, which may come from cybercriminals like the ones behind Antidot.
Once you download the Google Play Update app, a fake update page with a "Continue" button is displayed on the screen. The page will use German, French, Spanish, Russian, Portuguese, Romanian, or English, depending on where you live.
If you tap on the button, you are taken to the Accessibility settings. Like many other banking trojans, Antidot is dependent on the Accessibility service to perform its intended activities. After permissions are granted, an ID is generated for your device.
The fake Google Play update app forces you to grant accessibility permissions to perform malicious activities.
The app also establishes a connection with the Command and Control (C&C) server and maintains a real-time, bidirectional interaction with it to carry out its operations.
It's also capable of keylogging, screen recording, call forwarding, copying contacts, reading your SMSs, locking and unlocking your device, and sending USSD requests (quick codes for requesting services like balance inquiry).
In short, this malware is capable of taking full control of your Android device and what makes it really dangerous is that it's good at hiding its presence.
So you might be having coffee on your couch, while this abomination of an app is silently sending your hard-earned money to its masters or reading those texts no one was supposed to read.
To avoid falling prey to such threats, only download apps from trusted sources, though that alone is not enough to keep you protected. You should also be careful when opening links sent to you by unknown or untrustworthy contacts and be wary of granting unnecessary permissions to apps.
Things that are NOT allowed: