Anubis trojan: A glimpse into the Android banking trojan’s capabilities

• Anubis is capable of stealing SMS messages, photos, videos, contacts, email accounts, calendar events, and browser histories from Chrome and Samsung Internet Browser.
• It is also capable of taking screenshots, recording audio, spy on the victims, disabling Google Play Protect, locking the device’s screen, and encrypting files.

Anubis is an Android banking trojan that targets Android users via malicious apps that are available on the Google Play Store. This trojan steals login credentials and financial information from banking apps in the infected Android devices.

What are the capabilities of Anubis Trojan?

• Anubis is capable of stealing SMS messages, photos, videos, contacts, email accounts, calendar events, and browser histories from Chrome and Samsung Internet Browser.
• It can take screenshots and record audio.
• It can spy on the victims via the malicious apps installed on the Android device.
• This banking trojan can run commands.
• It can delete files on the device.
• Anubis can install and uninstall APKs.
• It also has the ability to self-destruct.
• It can disable Google Play Protect and lock the device’s screen.
• It can enable or configure device administration settings.
• It is also capable of encrypting files.

Anubis variants

• The trojan’s first variant ‘Anubis II’ was first discovered in the fourth quarter of 2017. In December 2018, the threat actors behind Anubis, maza-in, announced the release of Anubis 2.5.
• In March 2019, an attacker named Aldesa created a post to sell the so-called ‘Anubis 3’ malware on an underground forum.

Anubis targets Turkish-speaking mobile users

In July 2018, researchers observed an Anubis campaign that targeted Turkish-speaking mobile users via at least 10 fake apps available in the official Google Play store. These apps download the Anubis trojan on the infected device, which facilitates financial fraud by stealing login credentials.

Anubis distributed via Google Play apps

A new version of Anubis banking trojan disguised as two Android apps was spotted in January 2019. This new variant has been found to be distributed across 93 different countries.

• The two Android apps are ‘Currency Converter’ and ‘BatterySaverMobi’.
• Once installed, these malicious apps prompt the users to grant permission for access to their phones and later try to steal account information by keylogging.

Anubis steals PayPal credentials

In April 2019, security researcher Lukas Stefanko spotted Anubis Android trojan that steals PayPal credentials.

• This trojan encrypts all the files on an external medium and locks the infected device with a black screen.
• The encrypted files are appended the .AnubisCrypt extension.
• The trojan collects PayPal credentials by taking screenshots when users enter their credentials into apps.

Anubis back in new campaign

In July 2019, researchers detected two servers containing 17,490 samples of Anubis trojans. These samples of Anubis are called AndroidOS_AnubisDropper.

• The two samples of Anubis trojan are labeled as ‘Operatör Güncellemesi’ and ‘Google Services’.
• The sample labeled as ‘Operatör Güncellemesi’ includes information-stealing capabilities.
• While the sample labeled as ‘Google Services’ include both information-stealing and environment-detection capabilities.