Android Banking Trojan Anubis Targets Nearly 400 Financial Apps

By Ava McKinneyOnline Safety

Anubis Android Banking Trojan Targets Users of Almost 400 Financial Apps

Cybersecurity researchers have discovered that the Android banking trojan Anubis has resurfaced and is now targeting users of 394 apps, including products from financial institutions, cryptocurrency wallets, and virtual payment platforms. According to experts at Lookout, this new Anubis campaign is still in the testing and optimization phase.

Background of Anubis

Anubis was first spotted on hacker forums in 2016, distributed as an open-source banking trojan with detailed instructions for deploying the client and various components. In 2019, the malware added a ransomware module and infiltrated the Google Play Store by disguising itself as fake apps. By 2020, Anubis had launched a large-scale phishing campaign targeting users of 250 shopping and banking apps.

How Anubis Works

The malware typically displays phishing overlays on top of legitimate app windows to steal user credentials. The latest version, identified by Lookout researchers, now targets 394 apps and includes the following capabilities:

  • Recording screen activity and audio from the microphone
  • Injecting a SOCKS5 proxy server for covert communication and data delivery
  • Saving screenshots
  • Sending mass SMS messages from the device to specified recipients
  • Extracting contacts stored on the device
  • Sending, reading, deleting, and blocking notifications for SMS messages received by the device
  • Scanning the device for files of interest to hackers for theft
  • Locking the device screen and displaying ransom demands
  • Sending USSD requests to check account balances
  • Collecting GPS data and pedometer statistics
  • Implementing a keylogger to steal credentials
  • Monitoring active apps to perform overlay attacks
  • Terminating other malware and removing competing malicious software from the device

Bypassing Security and Spreading the Malware

As in previous versions, Anubis checks if Google Play Protect is enabled on the compromised device. It then sends a fake system warning to trick the user into disabling this protection, giving the trojan full access to the device and the ability to freely send and receive data from its command-and-control server.

Researchers report that in July 2021, attackers attempted to submit a package named fr.orange.serviceapp to the Google Play Store, but it was rejected. This appears to have been a test of Googleโ€™s malware protection systems, as the attackers had only partially implemented their obfuscation scheme at that time.

Currently, the malicious Orange SA app containing the new version of Anubis is being distributed through third-party websites, social media messages, forums, and similar channels. The campaign targets not only French Orange SA customers but also American users, including clients of Bank of America, US Bank, Capital One, Chase, SunTrust, and Wells Fargo.

Attribution and Evasion Techniques

Since Anubisโ€™s code has long been available on various hacker forums, it is used by many cybercriminals, making it extremely difficult to determine who is behind the new version. The attackers have also taken steps to cover their tracks, using Cloudflare to route all network traffic through SSL, while the command-and-control server is disguised as a cryptocurrency exchange using the domain quickbitrade[.]com.

Leave a Reply