Security researchers have found that the Android banker Anubis is active again and now targets 394 users, including products from financial institutions, cryptocurrency wallets and virtual payment platforms. At the same time, Lookout experts write that the new banker’s campaign is still in the testing and optimization stage.
Anubis was first spotted on hacker forums in 2016 when it was distributed as an open source banking Trojan with detailed instructions on how to implement the client and various components.
In 2019, the malware acquired a ransomware module and infiltrated the Google Play Store, using fake applications for injection. In 2020, the Trojan launched a large-scale phishing campaign aimed at users of 250 shopping and banking apps.
The malware works in a simple way: usually Anubis displays phishing overlays on top of real application windows and steals user-entered credentials.
The new version of malware, spotted by Lookout experts, targets 394 applications and has the following features:
- recording of screen activity and sound from a microphone;
- implementation of a SOCKS5 proxy server for covert communication and packet delivery;
- saving screenshots;
- mass distribution of SMS-messages from the device to the specified recipients;
- retrieving of contacts stored on the device;
- sending, reading, deleting and blocking notifications for SMS messages received by the device;
- scanning the device in search for files of interest to hackers for theft;
- lock the device screen and display the ransom demand;
- sending USSD requests to find out about the status of accounts;
- collection of GPS data and pedometer statistics;
- implementation of a keylogger to steal credentials;
- monitoring of active applications performing overlay attacks;
- termination of other malicious programs and removal of competing malware from the device.
As in previous versions of Anubis, the malware detects whether Google Play Protected is enabled on the affected device, and then sends a fake system warning to trick the user into turning it off. This gives the Trojan full access to the device and the freedom to send and receive data from the C&C server without any hindrance.
Experts report that this time the attackers tried to submit the fr.orange.serviceapp package to the Google Play Store in July 2021, but then their application was rejected. Apparently, this was just an attempt to test Google systems for protection against malware, since then the attackers only partially implemented their obfuscation scheme.
So far, the distribution of the malicious application Orange SA, equipped with a new version of Anubis, occurs through third-party sites, posts on social networks, on forums, and so on. At the same time, the malicious campaign targets not only French customers of Orange SA, but also American users, including customers of Bank of America, US Bank, Capital One, Chase, SunTrust and Wells Fargo.
Let me remind you that we also told that SharkBot Android Trojan Steals Cryptocurrency and Hacks Bank Accounts.