Latest version of Anubis Trojan found to be distributed via Google Play Apps

• The malware disguises as two Android apps named ‘Currency Converter’ and ‘BatterySaverMobi’ for propagation.
• The malware comes with a built-in keylogging functionality that simplifies the process of stealing the credentials.

A new version of Anubis banking trojan is masquerading as two Android apps for propagation. Dubbed as ANDROIDS_ANUSBISDROPPER, the malware is capable of stealing a user’s account credentials by logging the keystrokes.

Propogation method

The malware disguises as two apps named ‘Currency Converter’ and ‘BatterySaverMobi’ for propagation. These benign apps make it possible for the malware to spread without any users’ suspicion.

According to the report from Trend Micro, the battery app logged more than 5000 downloads before it was removed. The app displayed a rating of 4.3 from 73 reviewers and was downloaded mostly by residents in Japan.

These apps use traditional evasion techniques. They use the user and device motion to hide their malicious activities.

“The malicious app monitors the user’s steps through the device motion sensor. If it senses that the user and the device are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the malicious code will not run,” said Trend Micro in its analysis report.

Modus Operandi

Once installed, the apps prompt the users to grant permission for access to their phones and later try to steal account information. Researchers explain that the apps connect to a command and control server that is tied up to a domain named ‘aserogeege.space’. The attack attempt is successful only if the server responds to the apps with an APK command and attaches the download URL that eventually drops ANDROIDS_ANUSBISDROPPER.

The malware comes with a built-in keylogging functionality that simplifies the process of stealing the credentials. It is also capable of taking screenshots of the infected users’ screen, record audio, send SMS, make calls and alter external storage.

The latest version of Anubis trojan has been found to distributed across 93 different countries. Previous research had highlighted that versions of Anubis can also function as ransomware.