Anubis Android Malware is back and targeting 394 financial apps

The famous Anubis Android Malware makes a return targeting around 394 financial organizations in the latest malware campaign that is going around in the wild. Android app impersonating as Orange S.A attempts to steal login credentials across financial organizations, crypto wallets and other payment platforms.

Security researchers from Lookout have identified the malware campaign and are testing the campaign further to understand the full potential of the malware.

Anubis Android Malware is old but vicious

Anubis Android Malware was first identified in the Russian hacking forum back in 2016 and then later released as a Banking Trojan. Later, Anubis evolved further and the code was made open-source with the same being shared among the threat actors.  In 2019, the Anubis Android Malware included the ransomware module and sneaked into Google Play Store via random apps.

Recently in 2020, Anubis returned again with phishing campaign hitting around 250 banking and e-commerce apps.

Just like any other phishing campaign, the Anubis also manipulates users with fake login pages to steal credentials, but instead of desktop login pages since the malware is targeting mobiles and tablets, this will show a fake overlay login page for the apps and then getaway with the credentials.

However, the recent Anubis Android Malware version targets 394 apps and is capable of more than just stealing the credentials,

• Screen recording and sound capture via microphone.
• SOCKS5 proxy for covert communication and payload delivery
• Screen capture
• Mass SMS deployment
• Stealing the contacts
• Capable of manipulating SMS messages
• Locking the device screen and displaying ransom note
• GPS data stealing
• Pedometer statistics theft
• Submitting USSD code for bank queries
• Executes keylogger capabilities to steal credentials
• Overlay attacks
• Can automatically self-destruct itself and disappear from the device

Anubis Android Malware validates the device for Google Play Protection and then drops the fake system alert to scare the user for disabling the Google Play Protection.

Currently the distribution is happening via the fake Orange app that is currently taking place via random and malicious websites, social media, smishing and other third party forums.

While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting US banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust, and Wells Fargo.

The group behind Anubis Android Malware campaign

There isn’t any evidence or details on the actors behind the Anubis Android Malware as their C2 infrastructure is keeping them in the shadow. We know the actor uses the Cloudfare to redirect his traffic via SSL with C2 masking as a cryptocurrency site.

Users of the Orange app are requested to be cautious about the app they are using and ensure the permissions granted to the app aren’t elevated than necessary.

Subscribe to our newsletter for daily alerts on cyber events, you can also follow us on Facebook, Linkedin, Instagram, Twitter and Reddit. You can reach out to us via Twitter or Facebook, for any advertising requests.