New Mishing Campaigns Target Job Seekers
By now, many of us are at least mildly wary of where on the internet we decide to share our information, however, bad actors continue to identify areas where we are likely to drop our guard - one of them being work applications. In today's market, job seekers are enabled to apply to dozens of jobs with the click of a button, or with simple forms and a drag-and-drop CV. The ease of sharing, our trust in these job boards, plus the desperation felt by some unemployed, creates an environment where applicants are easily targeted by fake hiring firms.
Known as "recruitment scams," or "employment scams," this form of phishing has been leveraged by bad actors in multiple campaigns over the last few years. They have been able to infiltrate trusted and reputable websites such as LinkedIn, as well as pretend to be headhunters and contact people directly via platforms such as WhatsApp in what is known as a mishing attack - which broadly refers to a phishing attempt targeted towards mobile devices or mobile users. (This sometimes also refers to a marketing-based phishing attack).
The latest mishing campaign targeting would-be applicants comes in the form of an employment scam where victims to download a dangerous malware dropper onto their smartphones. This is described to them as being part of the hiring process, but in fact is actually a disguised tool with which bad actors are able to install malware on to the device. Zimperium's "zLabs" team has identified a variant of the Antidot malware family as the payload, termed "AppLite." This dangerous banking trojan is purpose built to harvest your financial information.
How Does a Banking Trojan Work?
This tricky malware category describes viruses which not only allow bad actors to remotely access your device from anywhere in the world, but are also purpose built for the extraction of financial data, and in some cases have been engineered to exfiltrate funds from your bank account using your own phone.
Previous notable banking trojans include Anatsa, TrickBot, ZLoader, Dridex and more. Some of these banking trojans even had the capability to form enormous botnets. These have proven to be particularly damaging pieces of malware, underlining some of the largest malware campaigns ever seen.
The first step in deploying a banking trojan is to get it directly onto the device, but with mobile devices being equipped with integral anti-virus software and app stores being actively monitored, this is a challenge for hackers. In employment scams as above, the recruiter will typically direct the victim to a webpage where they are instructed to directly download the application package. However, in other examples, the virus will be made downloadable directly from the app store, or will be distributed via email or SMS attachment.
Once on the device, the malware embeds itself. It establishes a connection with the attacker's own web server, sending information about its victim's phone and applications. Then, when the victim attempts to open a banking application, the malware displays a phishing template over the legitimate application. This can also work on particular websites accessed via the browser. This phishing template is not the official app or website, but rather an identical HTML page hosted by the attacker. The login forms for email and password are actually keyloggers, and any information entered into them is sent directly back to the attacker's server.
In some cases, underneath the overlay, banking trojans can be used to execute remote commands that allow the attacker to tap and swipe on your screen: even logging in to your bank account and transferring your money away right underneath your nose.
The new Antidot variant "AppLite" supports a staggering 171 financial applications which includes banking institutions, cryptocurrency-related apps and more, across a variety of languages.
How To Protect Yourself
These malware packages depend strongly on two things: the security of the operating system, and the lack of preparedness of the victim.
To the former, AppLite and similar trojans use a multitude of flaws in the Android operating system in order to obfuscate their code. These flaws, once encountered, can be patched by developers and these fixes delivered over the internet to your device as an update. But if you don't update your device, you will not receive these patches. That means you will remain vulnerable to these attacks, and if you do happen to fall victim for one, the attacker will have unfettered access to all of your information. It is obviously imperative then that everybody keeps their phone's operating system and all apps updated.
To the latter, hopefully this article has already made you more aware of the dangers facing mobile users in 2025. If you find yourself in a position where you are sharing your information around without much regard, be it job applications, housing or rental applications, or even if just being surveyed, have some pause. Consider who you are sharing your data with and what they might be able to do with it. Consider how safe it is in the hands of others, or maybe if you might be oversharing. Remember to only provide your information to trusted companies through trusted channels.
Conclusion
Hackers will always try to catch you with your guard down. Whether it's through job applications, at times where we are proverbially "throwing" our CVs out, or at some other point in time - you may have been offered the job of your dreams, or find yourself desperate for work and in a pinch - don't allow yourself to leap at opportunities without practicing vigilance. Ensure the identity of the person you're talking to, the validity of the job offer, and the security of your channel of communication with them. If you make a mistake and are misled into downloading something, don't worry - your device may be capable of defending you if you are prudent about applying updates. But to prevent yourself from getting to that point, be aware of the risks and dangers online so you can better recognise and avoid mishing attacks. Always keep your guard up.
The information contained in this article is provided for informational purposes only and does not constitute professional advice and is not guaranteed to be accurate, complete, reliable, current or error-free.
Sources
https://www.zimperium.com/blog/applite-a-new-antidot-variant-targeting-mobile-employee-devices/
https://www.securitymagazine.com/articles/101246-report-new-cyber-scam-campaign-targets-job-seekers
https://cyble.com/blog/new-antidot-android-banking-trojan-masquerading-as-google-play-updates/
https://www.whiteblueocean.com/newsroom/the-state-of-banking-droppers-in-2024/
https://www.whiteblueocean.com/glossary/
https://www.kaspersky.com/resource-center/threats/trickbot
https://www.cisa.gov/news-events/cybersecurity-advisories/aa19-339a
https://blogs.microsoft.com/on-the-issues/2022/04/13/zloader-botnet-disrupted-malware-ukraine/