Uncovering the capabilities and activities of Anubis Android banking trojan

• It is distributed through apps which masquerade as innocuous apps, primarily through Google Play Store.
• The trojan has infected over 300 financial institutions worldwide since 2017.

Over the past few years, Android banking trojans have been a persistent threat. Attackers are continuously incorporating a wide range of malicious functionality within the trojans to make them more effective and less susceptible to detections. One such example is the infamous Anubis trojan.

What is Anubis - Anubis is an Android banking trojan and bot which derives its source code from the Maza-in banking trojan. The malware, also known as Android.BankBot.250.Origin by Dr. Web, was first discovered in 2017.

It is distributed through apps which masquerade as innocuous apps, primarily on Google Play Store. These apps can be fake mobile games, fake software updates, fake post/mail apps, fake utility apps, fake browsers, and even fake social-network and communication apps. The trojan has infected over 300 financial institutions worldwide since 2017.

What are its targets - Based on observations, it has been found that the malware mainly targets institutions providing services in Europe, Asia and America. It is also actively spreading its tentacles to institutions in Europe, West-Asia, North-America, and Australia.

What are its capabilities - Once launched, Anubis connects to the command-and-control server of the attackers to receive additional commands. Through the C2 communication, Anubis can perform various tasks including:

• Send SMS messages containing a defined text
• Execute USSD-request
• Send copies of SMS messages stored on the device
• Show push notifications whose contents are specified in the command
• Block the screen of the device window
• Send all the numbers from the contact list
• Request permission to access other crucial data
• Request permission to access device location
• Determine the IP address of an infected smartphone or tablet
• Clean up the configuration file

Major attacks

Some of the major attacks that involved the use of Anubis banking trojan includes:

• In July 2018, the malware was distributed through various legitimate-looking apps. Cybercriminals used the banking trojan to facilitate financial fraud by stealing login credentials to banking apps, e-wallets, and payment cards.
• In January 2019, the trojan made a comeback in the form of two apps that monitor motion-sensor input. The two infected apps were BatterySaverMobi and Currency Converter. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required C&C server.

Recent versions - The first variant ‘Anubis II’ was first discovered in the fourth quarter of 2017. In December 2018, the threat actors behind Anubis, maza-in, announced the released of Anubis 2.5. In March 2019, an actor named Aldesa created a post to sell the so-called ‘Anubis 3’ malware on an underground forum.

Although the Anubis trojan and its variants are no longer available for sale, experts believed that threat actors still have access to the builder and admin panel of the trojan.

Conclusion - Given the growing demand for Android banking trojan, experts claim that threat actors will continue using Anubis for future attacks. Anubis is one of the many trojans active in the wild.