Android Under Attack: The New Wave of Malware

In recent months, a wave of sophisticated threats has targeted the Android ecosystem, affecting thousands of mobile devices around the world. Malware such as AntiDot, GodFather, and SuperCard X are exploiting technical vulnerabilities and human behavior to compromise apps, data, and digital identities. For corporate security managers (CISOs, IT Managers, etc.) as well as product executives (Product Owners and Project Managers), the stakes are very high.

According to The Hacker News, a new Android malware called AntiDot has already compromised more than 3,775 devices in 273 separate campaigns, leveraging malicious overlays, accessibility services, NFC attacks, and virtualized environments to steal sensitive data and banking credentials.

In this article we analyze:

• the techniques used by the Android malware mentioned above

• the implications for businesses security

• what an organization can (and should) do to avoid becoming the next victim

AntiDot Malware: An “All-Inclusive” Service

Developed by the LARVA-398 cybercriminal group, AntiDot is sold as Malware-as-a-Service (MaaS) on underground forums. It is a modular package that offers three main features:

• Screen recording by abusing accessibility services

• SMS interception

• Data extraction from third-party apps, especially banking and crypto applications

The malware is distributed via:

• Geo-targeted phishing campaigns

• Malicious advertising networks (malvertising)

• Coincidental apps that masquerade as Google Play updates

Once installed, the malware asks the user to enable accessibility permissions (if you missed the webinar where we talk about this, you can catch up by clicking here). Immediately after, it dynamically downloads and installs the malicious code, in a three-stage chain:

1. installing an APK with obfuscated classes
2. asking for permissions with a fake update
3. uploading malicious code via encrypted files

The attacker then gains remote access to the device, can spy on activity, steal credentials, and control banking apps in real time.

Test the strength of your mobile apps with DSA Pro, Mobisec’s in-depth security testing service.

Learn more

One of AntiDot’s most powerful weapons is its ability to create overlays that mimic the login screens of legitimate apps. When the user opens a banking or crypto app, the malware intercepts the event and displays a fake login, indistinguishable from the original.

The remote control module is built with MeteorJS, an open-source JavaScript framework that enables real-time communication between servers and clients. The C2 (Command & Control) interface is divided into sections and is so complex that it demonstrates that AntiDot is not an improvised malware, but a scalable platform for generating dark business.

GodFather Malware: Virtualization and Real App Theft

As if that were not enough, another parallel threat is represented by the GodFather malware, recently analyzed by Zimperium. Unlike classic app-imitating Trojans, GodFather takes a radical approach: it creates a virtual sandbox inside the device, where it installs a real copy of the banking app.

In this isolated environment, the user enters credentials believing they are in the real app, while in reality they are completely observed and controlled by the malware.

GodFather also exploits:

• bypassing controls via ZIP manipulation
• injecting unnecessary permissions into the AndroidManifest to confuse analysis tools
• session-based installation techniques to bypass Android 13 protections

A particularly worrying aspect is the ability to steal device unlock credentials (pattern, PIN or password), making the malware a dangerously complete tool.

If your app handles financial or personal data, you can’t rely on internal testing alone. Request an advanced pentest with DSA Pro and test every vulnerability.
Learn more

SuperCard X Malware: Real-Time NFC Attacks

Another attack front concerns the fraudulent use of NFC technology. The SuperCard X malware, recently detected in Italy, exploits an open source tool (NFCGate) to:

• intercept NFC traffic between smartphones and POS

• steal credit card data

• send commands to the EMV chip for fraudulent transactions

Distributed via apps disguised as useful tools, SuperCard X is a prime example of how legitimate technology can be exploited. Its spread is supported by Telegram channels and Chinese MaaS platforms.

Malicious Apps on Official Stores: The RapiPlata Case

To make matters worse, even official stores are not immune. The RapiPlata app, a fake loan app, has been downloaded over 150,000 times from Google Play and the Apple App Store. Once installed, the app:

• extracted SMS, call history, calendar events
• accessed installed apps and data
• uploaded everything to remote servers

Another group of apps, however, targeted crypto wallets by stealing seed phrases via WebView phishing.

Threats don’t just come from third-party apps, your app can also become a lever for attack. With DSA Pro you can simulate real attack scenarios and fix vulnerabilities before hackers do.

Learn more

What can companies do?

Malware such as AntiDot, GodFather and SuperCard X represent a new generation of mobile threats, capable of:

• evade standard controls (including Google Play Protect)
• exploit operating system components
• use advanced techniques such as virtualization
• steal data in real time and without obvious signals

For companies, all this translates into equipping themselves with a proactive, automated and scalable approach, such as the one offered by Mobisec with the DSA Suite, and in particular with DSA Pro, which allows you to:

• simulate real attacks (black box / grey box)
• identify overlays, anomalous permissions, injections and obfuscated DEXs
• test the integrity of external libraries
• evaluate whether the app can be used as a vector for other infections

Every day an app isn’t thoroughly tested is a day it can become the weak link in the chain.

Take the first step: discover DSA Pro and truly protect your mobile applications.

Contact us