|###### Advisory||Malware Intelligence|
|###### Type||Android Banking Trojan|
|###### Target System||Android|
|###### Affected Industry||BFSI|
|###### Affected Regions||Turkey, Italy, US, India, France, Germany, Australia, and Poland|
CloudSEK Threat Intelligence researchers have picked up a dark web chatter regarding an Android banking trojan known as Anubis. Anubis is a MaaS (Malware as a Service) malware type, that anyone can use and distribute. Anubis, which is primarily a banking trojan, recently spread via a COVID-19 map application that lured victims to download the malicious application.
The client and server source code for this malware are publicly available, which is used by threat actors to retool the malware, add features or edit the source code, to create a new functionality for Anubis that will serve their malicious intents. The malware is still actively modified by attackers on dark forums for better efficiency.
- Encrypt the victim’s data, and delete files
- Establish VNC session between the victim and the attacker
- Forward Calls and SMS to the attacker’s server
- Expose the privacy of the victim
- Steal banking credentials
- Keep pace with the latest security updates
- Use latest version operating systems
- Install application only from authorized app stores
This malware spreads in two different ways:
- Drive-by download, where the malicious apk is downloaded directly into the victim’s device through malicious websites.
- Through Google Play store where it appears as legitimate applications, which after installation, installs the malicious payload at the second stage.
Once the app is installed it asks for accessibility permissions to run in the background and receive calls from the system. It also hides the application’s icon from the launcher, making it difficult for a regular user to remove it.
- Exfiltrating data after encryption
- Receive C2 commands
- Encrypting data with the extension .AnubisCrypt , activating a ransomware
- Start a VNC session, in which the attacker can only see the screen of the victim and not control it.
- Intercept calls and SMSs and forward them to the attacker’s server.
- Establish overlay attack if any banking application exists on the victim’s device, to steal credentials. The overlay attack is carried out by loading Webview above the legitimate application, where the malicious applications are launched instead of the genuine application.
- Prevent the victim from uninstalling the malicious applications by listening to accessibility events.