Watch out for the Anubis Banking Malware That Can Put Your Virtual Privacy at Risk

Anubis Android Banking Malware

If you ever find yourself wondering how large a large-scale cybercrime operation can be, you could do worse than take a look at the Anubis Android malware. The trojan has been around for at least five years now, but by the looks of things, its operators are nowhere near ready to retire it.

In January, security researchers found a few applications on Google Play that acted as downloaders for Anubis. Of course, the malicious apps were quickly taken off Android's official store, but Anubis hasn't stopped infecting people's smartphones and tablets. Researchers from TrendMicro have been tracking the trojan's movements, and after some investigation, they found no fewer than 17,490 samples hosted on two servers.

TrendMicro's report doesn't describe the exact infection vector. The research does suggest, however, that as always, Anubis' operators have a particular focus on users in Turkey and that they use some social engineering to fool victims into thinking that they are installing a completely benign app. Some of the samples were labeled "Operatör Güncellemesi" which is Turkish for "Operator Update", and the rest were masquerading as "Google Services".

Anubis is much more than a banking trojan

Anubis is equipped with a few clever anti-analysis mechanisms. In a recent update, the malware's creators implemented a module that uses the infected device's motion-based sensors to ensure that it's not running on an emulator or a virtual machine. In addition to this, they have developed a way of sending commands through social networks like Twitter, which minimizes the amount of suspicious traffic.

The trojan was classified as banking malware a while ago, and indeed, as Trend Micro points out, Anubis can detect when a user is launching one of a list of 188 mobile banking and finance-related applications. Using clever overlay techniques, it then presents a fake login page and steals the credentials of banking customers all around the world. In addition to this, previous research suggests that Anubis has keylogging capabilities which could make the task of stealing banking passwords even easier.

The malware's talents go way beyond the mere exfiltration of login credentials, though. In April, Anubis' operators added a ransomware module which can encrypt data both on the device's internal memory and on the SD card. To ensure that the phone's defenses are down, it can disable Google's Play Protect service, and it can perform a variety of reconnaissance tasks such as getting the phone's precise location, taking screenshots, recording audio, sending and receiving text messages, stealing contacts, etc.

In a word, Anubis is capable of compromising your security and privacy in a variety of different ways. It's a threat to be reckoned with, and Android users who like to click lots of links and install lots of apps should be especially careful.

July 10, 2019

Leave a Reply