A new wave of sophisticated Android malware has hit thousands of devices globally. Researchers have uncovered multiple mobile threats including AntiDot, GodFather, and SuperCard X that are hijacking devices using overlay attacks, virtualization fraud, and even NFC relay theft.
AntiDot Malware Compromises 3,775 Devices Across 273 Campaigns
Swiss cybersecurity firm PRODAFT has linked the AntiDot malware to a threat actor called LARVA-398, who sells it as Malware-as-a-Service (MaaS) on underground forums.
AntiDot Hijacks devices through phishing and malicious ads, Abuses Android’s accessibility services to steal screen content and login credentials, uses WebSocket for real-time remote control, it can also intercept SMS, log keystrokes, and overlay fake login screens on crypto or payment apps.
The malware is delivered in three stages. After the user installs a malicious APK, a packed file loads hidden classes during installation. Once active, AntiDot requests permissions and loads a DEX file that powers the botnet.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
It then, Poses as a Google Play update, displays fake login screens when users open targeted apps, becomes the default SMS app to monitor messages, monitors, blocks, or redirects phone calls and hides warning notifications to avoid detection.
Researchers say the C2 infrastructure is built using MeteorJS and includes tabs to manage bots, injects, analytics, and fake overlays.
GodFather Malware Evolves with Virtualization-Based Fraud
Meanwhile, Zimperium zLabs has detailed a new variant of the GodFather Android banking trojan, which now uses on-device virtualization.
Instead of showing a fake screen, GodFather:
- Installs a malicious host app with a virtualization engine
- Launches real banking apps inside a sandboxed clone
- Monitors user activity and steals login data in real-time
This advanced tactic bypasses Android 13 restrictions by using session-based installation, a method that still works in many popular app delivery channels.
Notably, the malware:
- Targets Turkish financial institutions for now
- Steals device lock credentials (PIN, pattern, or password)
- Uses ZIP manipulation and bloated AndroidManifest files to avoid detection
SuperCard X Malware Steals NFC Payment Data in Russia
Algoritha: The Most Trusted Name in BFSI Investigations and DFIR Services
In a separate campaign, Russian firm F6 reports that a new Android malware named SuperCard X is now targeting NFC-based transactions in Russia.
Key capabilities include:
- Intercepting NFC traffic
- Relaying bank card data to attacker devices
- Conducting fraudulent ATM withdrawals and PoS payments
The malware builds on NFCGate, an open-source tool, and has previously been spotted in attacks on users in Italy and Czech Republic. It’s now being distributed via Telegram-based MaaS platforms.
Fake Loan and Crypto Apps Found on Official App Stores
In addition to sideloaded APKs, researchers have discovered malicious apps like RapiPlata and fake crypto wallets on both Google Play and Apple’s App Store.
- RapiPlata was downloaded over 150,000 times and posed as a loan app targeting Colombian users.
- It harvested SMS, call logs, calendars, and app lists, and even extorted users post-installation.
- Fake crypto wallet apps served phishing pages via WebView to collect seed phrases and drain wallets.
- Although these apps have been removed, they may still circulate via third-party Android stores.
How to Stay Safe
Experts urge Android users to take the following precautions:
- Never sideload APKs from unknown sources
- Disable accessibility permissions for untrusted apps
- Use updated anti-malware software
- Review installed apps regularly
- Avoid downloading financial apps from ads or unofficial links
About the author – Ayush Chaurasia is a postgraduate student passionate about cybersecurity, threat hunting, and global affairs. He explores the intersection of technology, psychology, national security, and geopolitics through insightful writing.