Threat actors have been distributing the novel Antidot Android banking trojan as fraudulent Google Play updates to facilitate credential compromise and other malicious actions, SecurityWeek reports.
Click for more special coverage
Intrusions commence with the deployment of a fake device language-tailored Google Play update that attempts privilege escalation before the commencement of overlay attacks, device unlocking, app uninstallation, data exfiltration, SMS message delivery, Virtual Network Computing operations, and photo capturing, a report from Cyble revealed.Attackers could conduct additional compromise through opening notifications and dialogues, making swipe gestures, and interacting with clipboard content through VNC enabled by the Antidot trojan, according to researchers, who also noted the WebView utilization of the trojan's overlay attack module to show banking and cryptocurrency app-spoofing HTML phishing pages.
"[Antidot's] utilization of string obfuscation, encryption, and strategic deployment of fake update pages demonstrate a targeted approach aimed at evading detection and maximizing its reach across diverse language-speaking regions," said Cyble.
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Such an extensive OpenAI account credential theft may have been achieved by exploiting vulnerabilities or securing admin credentials to infiltrate the auth0.openai.com subdomain, according to Malwarebytes researchers, who noted that confirmation of the leak's legitimacy would suggest emirking's access to ChatGPT conversations and queries.
Aside from delivering unencrypted device and mobile app registration information to Volcano Engine servers owned by TikTok parent firm ByteDance, DeepSeek's iOS app has also been leveraging an insecure symmetric encryption algorithm, a hardcoded encryption key, and old initialization vectors, an audit from NowSecure showed.
