The zLabs team identified a sophisticated Mishing (mobile-targeted phishing) campaign that delivers malware to the user’s Android mobile device, enabling a broad set of malicious actions including credential theft of banking, cryptocurrency and other critical applications.

The investigation revealed a network of phishing domains actively distributing a new variant of the Antidot banking trojan. This previously unknown strain builds upon the version discovered by Cyble in May of 2024.

The attackers presented themselves as recruiters, luring victims with job offers. As part of their fraudulent hiring process, the phishing campaign tricks victims into downloading a malicious application that acts as a dropper, eventually installing the updated variant of Antidot on the victim’s device, which we call AppLite Banker.

Beyond its ability to mimic enterprise companies, the Banker also masquerades as Chrome and TikTok apps, demonstrating its wide-ranging target vectors, including full device take-over and application access. The level of access provided the attackers could also include corporate credentials, applications and data if the device was used by the user for remote work/access for their existing employer.