AntiDot 3-in-1 Android Botnet Malware Grants Attackers Full Control Over Victim Devices

A new Android botnet malware named AntiDot has emerged as a formidable threat, granting cybercriminals unprecedented control over infected devices.

Operated and sold by LARVA-398 as a Malware-as-a-Service (MaaS) on underground forums like XSS, AntiDot is marketed as a “3-in-1” tool, bundling a loader, packer, and botnet infrastructure into a single devastating package.

This malware’s advanced capabilities, including screen recording via Android accessibility service abuse, SMS interception, and credential theft through overlay attacks, make it a critical concern for users and security professionals alike.

Technical analysis reveals that it currently operates through at least 11 active command-and-control (C2) servers, managing over 3,775 infected devices across 273 distinct campaigns, with distribution tactics tailored to specific languages and geographic regions through malicious advertising networks and phishing.

Multi-Stage Attack Mechanics

AntiDot’s operational sophistication lies in its multi-stage deployment and evasion strategies.

Developed in Java and heavily obfuscated, the malware employs a commercial packer to dodge antivirus detection, dynamically loading malicious code from encrypted files during installation (MITRE T1407).

The initial APK, often disguised as “Update.apk,” mimics a legitimate update process with a dummy loading bar, tricking users into granting accessibility permissions.

Once permissions are obtained, it unpacks a dex file housing botnet capabilities, enabling real-time communication with C2 servers via WebSocket protocols (MITRE T1071.001).

These servers, not yet flagged by most commercial security solutions, facilitate a range of malicious activities, from screen cloning (MITRE T1546.008) to simulate user interactions, to overlay attacks (MITRE T1056.003) targeting cryptocurrency and payment apps with tailored phishing screens.

Additionally, AntiDot can set itself as the default SMS app (MITRE T1446) to intercept messages and manipulate call functionalities (MITRE T1616), while suppressing notifications (MITRE T1517) to remain undetected.

Its C2 panel, built on MeteorJS, offers operators a real-time interface with detailed victim data, customizable overlays, and commands like “startVnc” or “overlay_pin” for precise control, underscoring the malware’s depth as a remote access tool.

A Growing Concern with Targeted Campaigns

The targeted nature of AntiDot’s campaigns amplifies its threat level, with over 270 unique identifiers cataloged, often following structured naming patterns like “1206tv04” or themed names indicating specific lures or regions.

This suggests a highly organized operation, likely focusing on financial apps and Google account theft via predefined commands like “gacc.”

Despite its potency, forum posts on platforms like XSS have criticized LARVA-398 for poor customer support and failure to update the malware for the latest Android versions, hinting at potential operational weaknesses.

However, the sheer scale of active infections and the malware’s ability to harvest logs, monitor applications, and execute WebView injections position it as a significant risk.

Security teams are urged to remain vigilant, monitor for related indicators, and enhance defenses against such evolving mobile threats, as AntiDot exemplifies the dangerous trend of accessible, powerful MaaS offerings in the cybercrime ecosystem.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates