Antidot¶
Antidot is an Android banking trojan discovered by Cyble in May 2024 that combines overlay attacks, keylogging, and VNC-based remote control over a persistent WebSocket connection to its C2 server. Named after a string found in its source code, the malware masquerades as Google Play update pages rendered in multiple languages to target victims across diverse regions. Its bidirectional WebSocket protocol enables real-time command execution, with 35 distinct commands covering everything from SMS collection and USSD initiation to camera capture and call redirection. In December 2024, Zimperium documented AppLite, a more advanced variant targeting corporate employees through fake job application phishing, expanding the target list to 172 applications across banking, cryptocurrency, and finance. A third variant, PhantomCall, was documented by IBM Trusteer Labs in 2025, adding voice call hijacking to the arsenal.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | May 2024 |
| Status | Active, multiple variants in circulation |
| Type | Banking trojan, RAT |
| Aliases | AppLite Banker, PhantomCall |
| Attribution | Unknown |
| Distribution | Fake Google Play update pages, fake job application phishing (AppLite), fake Chrome apps (PhantomCall) |
Origin and Lineage¶
Cyble Research and Intelligence Labs (CRIL) first identified Antidot on May 6, 2024, during analysis of a sample masquerading as a Google Play update application. The trojan appeared fully formed with overlay, keylogging, and VNC capabilities, suggesting a period of private development before public distribution began. Custom encryption routines for string obfuscation and gibberish class names indicated deliberate anti-analysis engineering from the start.
By December 2024, Zimperium's zLabs team identified AppLite, a significantly evolved variant built on the original Antidot codebase. AppLite shifted distribution from generic update lures to targeted social engineering: threat actors impersonated HR representatives from legitimate companies, sending phishing emails with fabricated job offers that directed victims to malicious landing pages. The variant expanded the target application list from the original set to 172 applications (95 banking, 62 cryptocurrency, 13 additional financial) and introduced APK format manipulation techniques to evade static analysis tools.
In 2025, IBM Trusteer Labs uncovered PhantomCall, a third variant distributed through fake Chrome application icons. PhantomCall introduced voice call hijacking, automatically rerouting incoming calls to attacker-controlled phone numbers. This capability is designed to intercept fraud alert calls from banks and financial institutions, preventing victims from receiving warnings while the attacker maintains access to their accounts. The campaign targeted users across Spain, Italy, France, the United States, Canada, the UAE, and India.
Distribution¶
| Vector | Details |
|---|---|
| Fake Google Play updates | Phishing pages showing localized update prompts in multiple languages |
| Fake job applications (AppLite) | Phishing emails impersonating HR recruiters with links to malicious landing pages |
| Fake Chrome apps (PhantomCall) | Dropper disguised with Google Chrome icon, using WebView to mimic Play Store update flow |
The original Antidot distribution relied on fake Google Play update pages that render in the victim's device language. When a victim visits the phishing page, the malware displays a localized update prompt with a "Continue" button that redirects to Android's Accessibility settings, granting the malware the permissions it needs to operate.
AppLite's distribution is more targeted. Threat actors craft emails posing as recruiters from recognizable companies, offering job opportunities. The phishing page manipulates victims into downloading a dropper application disguised as "EmployeesCRM" or other enterprise tools. The dropper presents a fake login screen, and after account creation, forces the victim to install an "update" on subsequent launches. This update is the AppLite payload. Zimperium noted that the dropper manipulates the ZIP format of APK files and Android Manifest structures to break analysis tool parsers and evade detection.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Overlay attacks | WebView-based injection screens triggered when targeted apps are opened, verified by package name matching |
| Keylogging | Accessibility service captures keystrokes, exfiltrated as Base64-encoded data with timestamps via "getKeys" command |
| VNC remote control | MediaProjection-based screen streaming with touch simulation, swipe, and recent apps navigation |
| SMS collection | Reads and exfiltrates all SMS messages from the device |
| USSD execution | Initiates USSD requests on the victim's behalf |
| Camera capture | Remotely activates the device camera and takes photographs |
| Screen lock control | Locks and unlocks the device remotely |
| Call redirection (PhantomCall) | Reroutes all incoming calls to attacker-specified phone numbers |
| App icon hiding | Conceals the malware's presence from the device launcher |
Overlay and Credential Theft¶
When the malware detects a targeted application being launched, it verifies the package name against its injection list. On a match, it creates an overlay window on top of the legitimate app and loads a phishing page into a WebView. As the victim types credentials into the overlay, each keystroke generates a "ping message" over the WebSocket connection, transmitting Base64-encoded keylog data along with timestamps and the target application name. This dual approach of visual deception and real-time keystroke capture ensures credential theft even if the overlay is only partially convincing.
Remote Control¶
Antidot's VNC implementation uses Android's MediaProjection API to stream the device screen to the operator. Through the WebSocket channel, operators can perform taps and swipes at arbitrary coordinates, navigate through apps, and interact with any interface element on the device. The 35-command set covers device manipulation (brightness adjustment, sleep mode, screen lock), information gathering (SMS, contacts, keystroke logs), and interface control (overlay window management, app launching).
Multi-Language Targeting¶
The malware displays fake update pages in English, Spanish, French, German, Italian, Portuguese, Russian, and Romanian, indicating broad geographic targeting. AppLite further extended language support to include Czech and Turkish, while PhantomCall campaigns concentrated on Spain, the UAE, Italy, France, the US, Canada, and India.
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Keylogging, overlay injection, UI navigation for VNC |
| SYSTEM_ALERT_WINDOW | Display overlay windows over banking apps |
| READ_SMS | Read SMS messages for OTP theft |
| RECEIVE_SMS | Intercept incoming SMS in real-time |
| SEND_SMS | Send SMS from victim device |
| READ_CONTACTS | Exfiltrate contact list |
| READ_PHONE_STATE | Device fingerprinting, phone number collection |
| CALL_PHONE | USSD execution and call redirection (PhantomCall) |
| CAMERA | Remote camera capture |
| INTERNET | WebSocket and HTTP C2 communication |
| FOREGROUND_SERVICE | Persistent background operation |
| RECEIVE_BOOT_COMPLETED | Restart after device reboot |
| REQUEST_INSTALL_PACKAGES | Install additional payloads |
| WAKE_LOCK | Keep device awake during remote sessions |
Technical Details¶
C2 Communication¶
Antidot initiates contact with its C2 server through an HTTP request, then upgrades to a WebSocket connection using the socket.io library for persistent, bidirectional communication. Client messages ("ping") carry Base64-encoded stolen data, while server responses ("pong") deliver plaintext commands. This persistent connection enables real-time command execution and continuous data exfiltration without the latency of polling-based approaches.
Anti-Analysis Techniques¶
The original Antidot employs custom string encryption and obfuscation with gibberish class names to hinder static analysis. AppLite takes evasion further by manipulating the ZIP file format of its APK and altering Android Manifest structures, causing standard analysis tools and parsers to fail when processing the file. These manipulations allow the malware to pass through automated security scanning while remaining functional on target devices.
C2 Infrastructure¶
| Component | Details |
|---|---|
| Initial handshake | HTTP GET request with device fingerprint |
| Persistent channel | WebSocket via socket.io library for bidirectional communication |
| Client messages | "ping" events carrying Base64-encoded stolen data |
| Server messages | "pong" events delivering plaintext commands |
| Command set | 35 distinct commands covering device manipulation, data collection, and overlay management |
| Encryption | Custom encryption routines for string obfuscation; Base64 encoding for data in transit |
Evolution¶
| Variant | Period | Key Changes |
|---|---|---|
| Antidot (original) | May 2024 | 35 commands, WebSocket C2, multi-language fake update lures, keylogging + VNC + overlays |
| AppLite | December 2024 | Enterprise-targeted distribution via fake job phishing, 172 app targets (95 banking, 62 crypto, 13 finance), APK format manipulation for evasion |
| PhantomCall | 2025 | Voice call hijacking to intercept bank fraud alerts, fake Chrome app distribution, global campaign expansion |
Target Regions¶
| Variant | Primary Targets |
|---|---|
| Antidot (original) | Europe broadly, with localized lures for German, French, Spanish, Russian, Portuguese, Romanian, and English speakers |
| AppLite | Corporate employees globally, with phishing campaigns in English |
| PhantomCall | Spain, UAE, Italy, France, US, Canada, India |
Notable Campaigns¶
May 2024: Cyble disclosed Antidot after identifying samples disguised as Google Play update applications. Analysis revealed 35 distinct commands, WebSocket-based C2 communication, and multi-language fake update pages targeting users across European and Russian-speaking regions.
December 2024: Zimperium published findings on AppLite, an Antidot variant distributed through fake job recruitment phishing. The campaign targeted corporate mobile devices with a dropper disguised as enterprise software, delivering a banking trojan capable of targeting 172 financial applications. The shift to employment-themed social engineering marked a deliberate pivot toward enterprise environments.
2025: IBM Trusteer Labs revealed PhantomCall, an Antidot variant adding call hijacking capabilities. Distributed as fake Chrome applications, PhantomCall rerouted incoming voice calls to attacker-controlled numbers, enabling interception of bank fraud alerts. The campaign demonstrated aggressive global distribution across Europe, North America, the Middle East, and Asia.
Related Families¶
| Family | Relationship |
|---|---|
| Vultur | Both use VNC-based remote control via MediaProjection for real-time device access, though Vultur pioneered this approach using AlphaVNC while Antidot implements it over WebSocket. |
| Hook | Both combine overlay attacks with VNC-like screen streaming, representing the convergence of banking trojan and RAT capabilities in modern Android malware. |
| Brokewell | Both feature rapid development cycles with frequent new capabilities, and both combine data-stealing with remote control. |
| FakeCalls | PhantomCall's call hijacking technique parallels FakeCalls' approach of intercepting and manipulating voice calls to banks. |
Detection¶
| Indicator Type | Details |
|---|---|
| WebSocket C2 | Persistent socket.io WebSocket connections from a utility/update app |
| Fake update UI | WebView rendering Google Play update page with localized language |
| Custom encryption | Non-standard string encryption patterns in APK classes |
| APK manipulation | Malformed ZIP headers or Android Manifest structures (AppLite) |
| MediaProjection abuse | App requesting screen capture permission without legitimate screen-sharing functionality |
| Call forwarding changes | Unexpected CallRedirectionService registration (PhantomCall) |