New AppLite Malware Targets Banking Apps in Phishing Campaign
A sophisticated phishing campaign distributing a newly identified malware variant called AppLite Banker has been uncovered.
Security researchers from Zimperium’s zLabs identified the malware as an updated version of the Antidot banking Trojan.
The campaign, which primarily targets Android devices, employs advanced social engineering techniques to steal credentials and compromise devices used for both personal and corporate purposes.
Key Tactics Used in the Campaign
“This latest mobile-targeted phishing campaign represents a sophisticated evolution of techniques first seen in Operation Dream Job, now adapted for the mobile era,” commented Stephen Kowski, field CTO at SlashNext.
“While the original Operation Dream Job used LinkedIn messages and malicious attachments to target job seekers in the defense and aerospace sectors, today’s attacks have expanded to exploit mobile vulnerabilities through fraudulent job application pages and banking Trojans.”
In fact, the AppLite Banker attackers pose as recruiters or HR representatives from well-known companies to deceive victims. Phishing emails designed to mimic legitimate job offers direct users to fake landing pages. These sites then trick users into downloading a fraudulent CRM application, which serves as a dropper to install the AppLite malware.
Once installed, the malware enables a range of malicious activities:
-
Credential theft targeting banking, cryptocurrency and financial apps
-
Abuse of Accessibility Services for screen overlays and self-permissions
-
Remote control via Virtual Network Computing (VNC)
-
Use of deceptive overlays to harvest user credentials
Zimperium researchers found that the malware targets 172 applications, including financial platforms and crypto wallets, and employs advanced tools to manipulate device functionality and intercept sensitive information.
To bypass detection, AppLite uses ZIP file manipulation to confuse security tools and embeds malicious scripts into HTML overlays. These methods allow it to remain undetected by many conventional analysis tools.
The malware’s reach extends to users proficient in English, Spanish, French, German, Italian, Portuguese and Russian, with a focus on regions where targeted apps are popular. Its ability to steal lock screen credentials and automate screen unlocking is particularly concerning, granting attackers near-total control of infected devices.
Mitigating the Threat
Security researchers highlighted the importance of proactive defenses to detect and neutralize zero-day threats such as this.
“As mobile devices have become essential to business operations, securing them is crucial, especially to protect against the large variety of different types of phishing attacks, including these sophisticated mobile-targeted phishing attempts,” explained Patrick Tiquet, vice president of security & architecture at Keeper Security.
“Organizations should implement robust Mobile Device Management (MDM) policies, ensuring that both corporate-issued and BYOD devices comply with security standards. Regular updates to both devices and security software will ensure that vulnerabilities are promptly patched – safeguarding against known threats that target mobile users.”