Exploring the Nature and Capabilities of Anubis Android Banking Trojan

• It is distributed by masquerading as innocuous apps, primarily through Google Play Store.
• The trojan has infected over 300 financial institutions worldwide since 2017.

Over the past few years, Android banking trojans have been a persistent threat. Attackers are continuously incorporating a wide range of malicious functionality within the Trojans to make them more effective and less susceptible to detections. One such example is the infamous Anubis trojan.

Origin: Anubis is an Android banking trojan and bot which derives its source code from the Maza-in banking trojan. The malware, also known as Android.BankBot.250.Origin by Dr. Web, was first discovered in 2017. It is distributed by masquerading as innocuous apps, primarily through Google Play Store. These apps can be fake mobile games, fake software updates, fake post/mail apps, fake utility apps, fake browsers, and even fake social-network and communication apps. The trojan has infected over 300 financial institutions worldwide since 2017.

Primary targets: Based on observations, it has been found that the malware mainly targets institutions providing services in Europe, Asia and America. It is also actively spreading its tentacles to institutions in Europe, West-Asia, North-America, and Australia.

Capabilities: Once launched, Anubis connects to the command-and-control server of the attackers to receive additional commands. Additionally, C2 communication also enables Anubis to:

• Send SMS messages containing a defined text;
• Execute USSD-request;
• Send copies of SMS messages stored on the device;
• Show push notifications whose contents are specified in the command;
• Block the screen of the device window;
• Send all the numbers from the contact list;
• Request permission to access other crucial data;
• Request permission to access device location;
• Determine the IP address of an infected smartphone or tablet;
• Clean up the configuration file.

Major attacks

Some of the major attacks that involved the use of Anubis banking trojan includes:

• In July 2018, the malware was distributed by various applications. Cybercriminals used the banking trojan to facilitate financial fraud by stealing login credentials to banking apps, e-wallets, and payment cards.
• In January 2019, the trojan made a comeback in the form of two apps that monitor motion-sensor input. The two infected apps were BatterySaverMobi and Currency Converter. Once one of the apps installed Anubis on a device, the dropper used requests and responses over Twitter and Telegram to locate the required C&C server.
• In November 2019, a new Android banking trojan dubbed Ginp that steals both login credentials and credit card data was uncovered by security experts. The malware’s latest variant, which was used against Spain and UK users, had borrowed pieces of code from the Anubis.

Recent versions: The first variant ‘Anubis II’ was first discovered in the fourth quarter of 2017. In December 2018, the threat actors behind Anubis, maza-in, announced the release of Anubis 2.5. In March 2019, an actor named Aldesa created a post to sell the so-called ‘Anubis 3’ malware on an underground forum.

In July 2019, a new version called AndroidOS_AnubisDropper was detected by Trend Micro researchers. The capabilities of this new version were similar to those of the malware’s previous iterations.

Although the Anubis trojan and its variants are no longer officially rented, experts believed that threat actors still have access to the builder and admin panel of the trojan.

Conclusion: Given the growing demand for Android banking trojan, experts claim that threat actors will continue using Anubis for future attacks. Anubis is one of the many trojans active in the wild.