AntiDot Android Trojan: New MaaS Malware Records Screens, Intercepts SMS, & Steals Financial Data
Ddos 
The Swiss cybersecurity firm PRODAFT has unveiled detailed findings regarding a widespread malicious campaign involving an Android trojan known as AntiDot. According to the experts, this malware has already infected over 3,775 devices across 273 separate attacks and is actively deployed in schemes designed to steal personal and financial information.
Behind the development and dissemination of AntiDot is the threat group designated LARVA-398, driven primarily by financial motives. The malware is distributed via a “malware-as-a-service” (MaaS) model through underground online forums and is employed in attacks that target specific countries and linguistic communities. Propagation occurs through malicious advertising networks and highly tailored phishing campaigns.
AntiDot is marketed as a versatile surveillance tool. It can record the device’s screen, intercept SMS messages, and extract data from third-party applications. The trojan is based on a Java program obfuscated using a commercial packer, which complicates detection and reverse engineering. The malicious payload is unpacked in three stages, beginning with an APK file that is installed on the target device.
A distinguishing feature of AntiDot is its abuse of the Android MediaProjection API and Accessibility Services, which grants attackers the ability to monitor the screen, perform keylogging, remotely control the device, and observe user behavior in real time. During installation, the malware requests accessibility permissions and deploys a malicious DEX file that contains the botnet’s core logic.
When a victim launches cryptocurrency or payment-related applications, AntiDot replaces legitimate screens with fake login pages fetched from its command-and-control (C2) server. This overlay technique is employed to steal login credentials. Additionally, the trojan sets itself as the default SMS app, intercepting inbound and outbound messages, tracking calls, and redirecting or blocking them based on predefined rules.
Moreover, AntiDot monitors system notifications, deleting or concealing alerts that might arouse suspicion. All infected devices are managed through a C2 panel developed on the MeteorJS framework. The panel features modules for analyzing installed apps, configuring attack parameters, viewing infected devices, managing network connections, and even includes a built-in help section.
The platform demonstrates a high degree of adaptability and is clearly designed for financial exploitation through persistent control of mobile devices—particularly in regions with localized language preferences. Notably, AntiDot leverages WebView injections and mimics interfaces of legitimate banking and payment applications, making it especially dangerous to users’ privacy.
Donate