Anubis Android Banker کو قریب قریب ٹارگٹ 400 فنانشل ایپ صارفین

Security researchers have found that the Android banker Anubis is active again and now targets 394 users, including products from financial institutions, cryptocurrency wallets and virtual payment platforms. At the same time, Lookout experts write that the new banker’s campaign is still in the testing and optimization stage.

Anubis was first spotted on hacker forums in 2016 when it was distributed as an open source banking Trojan with detailed instructions on how to implement the client and various components.

In 2019, the malware acquired a ransomware module and infiltrated the گوگل پلےسٹور, using fake applications for injection. In 2020, the Trojan launched a large-scale phishing campaign aimed at users of 250 shopping and banking apps.

The malware works in a simple way: usually Anubis displays phishing overlays on top of real application windows and steals user-entered credentials.

The new version of malware, spotted by Lookout experts, targets 394 applications and has the following features:

  1. recording of screen activity and sound from a microphone;
  2. implementation of a SOCKS5 proxy server for covert communication and packet delivery;
  3. saving screenshots;
  4. mass distribution of SMS-messages from the device to the specified recipients;
  5. retrieving of contacts stored on the device;
  6. sending, reading, deleting and blocking notifications for SMS messages received by the device;
  7. scanning the device in search for files of interest to hackers for theft;
  8. lock the device screen and display the ransom demand;
  9. sending USSD requests to find out about the status of accounts;
  10. collection of GPS data and pedometer statistics;
  11. implementation of a keylogger to steal credentials;
  12. monitoring of active applications performing overlay attacks;
  13. termination of other malicious programs and removal of competing malware from the device.

As in previous versions of Anubis, the malware detects whether Google Play Protected is enabled on the affected device, and then sends a fake system warning to trick the user into turning it off. This gives the Trojan full access to the device and the freedom to send and receive data from the C&C server without any hindrance.

Google Play Protect

Experts report that this time the attackers tried to submit the fr.orange.serviceapp package to the Google Play Store in July 2021, but then their application was rejected. Apparently, this was just an attempt to test Google systems for protection against malware, since then the attackers only partially implemented their obfuscation scheme.

So far, the distribution of the malicious application Orange SA, equipped with a new version of Anubis, occurs through third-party sites, posts on social networks, on forums, اور اسی طرح. At the same time, the malicious campaign targets not only French customers of Orange SA, but also American users, including customers of بینک آف امریکہ, US Bank, کیپٹل ون, Chase, SunTrust اور Wells Fargo.

Considering that the Anubis code has long been distributed on numerous hacker forums, it is used by many hackers, and now it is extremely difficult to understand who is behind the new version of the Trojan. اس کے علاوہ, the attackers try to hide their tracks and use Cloudflare to redirect all network traffic over SSL, while the C&C server masks as a cryptocurrency exchanger using the domain https://quickbitrade[.]Com.

Let me remind you that we also told that شارک بوٹ Android Trojan Steals Cryptocurrency and Hacks Bank Accounts.

ہیلگا اسمتھ

مجھے ہمیشہ کمپیوٹر سائنسز میں دلچسپی تھی۔, خاص طور پر ڈیٹا سیکیورٹی اور تھیم, جسے آج کل کہا جاتا ہے۔ "ڈیٹا سائنس", میری ابتدائی نوعمری سے. ایڈیٹر ان چیف کے طور پر وائرس ہٹانے والی ٹیم میں آنے سے پہلے, میں نے کئی کمپنیوں میں سائبر سیکیورٹی کے ماہر کے طور پر کام کیا۔, ایمیزون کے ٹھیکیداروں میں سے ایک سمیت. ایک اور تجربہ: مجھے آرڈن اور ریڈنگ یونیورسٹیوں میں پڑھانا ملا ہے۔.

جواب چھوڑیں

یہ سائٹ سپیم کو کم کرنے کے لیے Akismet کا استعمال کرتی ہے۔. جانیں کہ آپ کے تبصرے کے ڈیٹا پر کیسے کارروائی کی جاتی ہے۔.

واپس اوپر کے بٹن پر