Anubis Android malware makes comeback with over 17,000 samples

• These samples of Anubis are called AndroidOS_AnubisDropper.
• These new variants of Anubis trojan are labeled as either ‘Operatör Güncellemesi’ and ‘Google Services.’

The infamous Anubis banking trojan has evolved to target Android mobile users. Lately, two related servers containing 17,490 samples of Anubis trojans have been detected by security researchers. These samples of Anubis are called AndroidOS_AnubisDropper.

What are the trojan capabilities?

Researchers at Trend Micro used SHA-256 to analyze the new samples of Anubis and found that these variants requested the following URLs to download a malicious app:

• hxxp://markuezdnbrs[.]online/deneme/api[.]php?xml=8c6c029e-153b-41e1-a061-2699a45b69f9
• hxxp://successiondar[.]xyz/continuing/resigned[.]php?xml=7e393286-925c-41f4-ac81-b7e2625473d0

These URLs retrieved the following malicious APKs:

• hxxp://markuezdnbrs[.]online/deneme/apk/6928[.]apk
• hxxp://successiondar[.]xyz/continuing/kan/5425[.]apk

Furthermore, these new variants of Anubis trojan are labeled as either ‘Operatör Güncellemesi’ or ‘Google Services.’

Worth noting

According to Trend Micro researchers, “These labels are probably social engineering lures used to trick unwitting users into downloading an Anubis-embedded app.”

The samples that are marked with ‘Operatör Güncellemesi’ label come with information-stealing capabilities as the previous iterations. These information-stealing capabilities include:

• Taking screenshots of the infected device’s screen;
• Remotely controlling the device via virtual network computing (VNC);
• Recording audio;
• Sending, receiving, and deleting SMS;
• Enabling or configuring device administration settings;
• Getting the device’s running tasks;
• Stealing the device’s contact list;
• Opening a specified URL;
• Disabling Google Play Protect;
• Locking the device’s screen and more.

Apart from stealing information, these variants Anubis also target a list of 188 financial and banking-related apps from which it steals personal and financial data. Many of these apps are based in Poland, Australia, Turkey, Germany, France, Italy, Spain, USA, and India.

The samples of Anubis trojan that are marked with the Google Services label include both information-stealing and environment-detection capabilities.