Go to listing page

Anubis Banking Trojan Resurfaces to Cripple Over 400 Financial Firms

Anubis Banking Trojan Resurfaces to Cripple Over 400 Financial Firms
A new malware campaign is using the infamous Anubis malware. The campaign masqueraded as an Orange Telecom app to deliver the recent variant of Anubis.

What has happened?

According to Lookout, the app disguised itself as an official account management platform for Orange S.A., targeting customers of Chase, Bank of America, Capital One, Wells Fargo, and 400 other financial institutions.
  • Once downloaded, the malware steals the user’s personal data. In addition to this, it targets banking customers, crypto wallets, and virtual payment platforms.
  • The malware collects significant information of victims by intercepting SMS, screen monitoring, GPS data collection, keylogging, file exfiltration, and abusing accessibility services.
  • The malicious copy of the Orange Telecom account management app was submitted to the Play Store in July and later removed. However, researchers believe that this was just a test carried out to test Google’s security.
  • At present, the obfuscation efforts are found to be minimal and implemented within the app.

A new trick

  • Once downloaded on the target device, the malware establishes a connection with the C2 server and downloads another application, FR[.]apk, to start the SOCKS5 proxy. 
  • This proxy is used to enforce authentication for clients communicating with the C2 server and mask communications.
  • Subsequently, a scam message asks the users to disable Play Protect, to provide full control to the attacker.

Conclusion

Anubis is a dangerous banking trojan that keeps coming up with new tricks. Smartphone users are suggested to never download third-party apps from unknown sources. Moreover, always use an anti-malware app inside smartphones and monitor apps for better security.

Cyware Publisher

Publisher

Cyware