Over the past few years, Android banking trojans have been a persistent threat. Attackers are continuously incorporating a wide range of malicious functionality within the Trojans to make them more effective and less susceptible to detections. One such example is the infamous Anubis trojan.
Origin: Anubis is an Android banking trojan and bot which derives its source code from the Maza-in banking trojan. The malware, also known as Android.BankBot.250.Origin by Dr. Web, was first discovered in 2017. It is distributed by masquerading as innocuous apps, primarily through Google Play Store. These apps can be fake mobile games, fake software updates, fake post/mail apps, fake utility apps, fake browsers, and even fake social-network and communication apps. The trojan has infected over 300 financial institutions worldwide since 2017.
Primary targets: Based on observations, it has been found that the malware mainly targets institutions providing services in Europe, Asia and America. It is also actively spreading its tentacles to institutions in Europe, West-Asia, North-America, and Australia.
Capabilities: Once launched, Anubis connects to the command-and-control server of the attackers to receive additional commands. Additionally, C2 communication also enables Anubis to:
Some of the major attacks that involved the use of Anubis banking trojan includes:
Recent versions: The first variant ‘Anubis II’ was first discovered in the fourth quarter of 2017. In December 2018, the threat actors behind Anubis, maza-in, announced the release of Anubis 2.5. In March 2019, an actor named Aldesa created a post to sell the so-called ‘Anubis 3’ malware on an underground forum.
In July 2019, a new version called AndroidOS_AnubisDropper was detected by Trend Micro researchers. The capabilities of this new version were similar to those of the malware’s previous iterations.
Although the Anubis trojan and its variants are no longer officially rented, experts believed that threat actors still have access to the builder and admin panel of the trojan.
Conclusion: Given the growing demand for Android banking trojan, experts claim that threat actors will continue using Anubis for future attacks. Anubis is one of the many trojans active in the wild.