Anubis Android trojan spotted stealing PayPal credentials and locking devices

• Anubis trojan encrypts all the files on an external medium and locks the infected device with a black screen.
• Anubis trojan comes with a device lock feature which attempts to lock the compromised devices. However, Stefanko was able to circumvent it.

What is the issue - A security researcher named Lukas Stefanko spotted Anubis Android trojan that steals PayPal credentials.

Why it matters - The trojan encrypts all the files on an external medium and locks the infected device with a black screen.

More details on the trojan

Lukas Stefanko spotted the Anubis trojan disguised as an Android application that is available for download in Google Play Store.

“Crypto-Banking Ransomware found on Google Play. Once it lured my PayPal credentials it encrypted my files on external medium and locked my device with black screen. #Anubis,” Stefanko tweeted.

• Once the Anubis Android trojan is dropped onto the compromised device, it starts collecting banking credentials.
• The trojan collects credentials by taking screenshots when users enter their credentials into apps.
• It then encrypts all the files and appends .AnubisCrypt extension and then locks the device with a black screen.

Anubis trojan comes with a device lock feature which attempts to lock the compromised devices. However, Stefanko was able to circumvent it.

“I could bypass it, and it doesn't request ransom - maybe a bad implementation,” Stefanko told BleepingComputer.

Worth noting - Even though the Anubis infected app that is available in the Google Play Store does not have many installs, the app comes with 4 stars and 90 ratings.

These positive ratings could allow the app to gain popularity over a period of time. However, a Google spokesperson confirmed that the app is no longer available in the Google Play Store.