Customer Help Portal
Categories
< All Topics
Print

Anubis Android malware returns to target 394 financial apps

The Anubis Android banking malware is now targeting the customers of nearly 400 financial institutions in a new malware campaign.

The threat actors target financial institutions, cryptocurrency wallets, and virtual payment platforms by impersonating an Orange S.A. Android app that attempts to steal login credentials.

The report comes from researchers at Lookout, who note that the malicious campaign is still in the testing and optimization phase.

An old but potent threat

Anubis first appeared on Russian hacking forums in 2016, shared as an open-source banking trojan with instructions on implementing its client and components.

In the years that followed, Anubis received further development work, and its newer code continued to be openly shared between actors.

In 2019, the malware added what appeared to be an almost functional ransomware module and found its way into Google’s Play Store through fake apps.

In 2020, Anubis returned through large-scale phishing campaigns, targeting 250 shopping and banking apps.

Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app’s login screen to make victims think it’s a legitimate login form when in reality, inputted credentials are sent to the attackers.

Anubis phishing login form overlay
Source: Lookout

In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:

  • Recording screen activity and sound from the microphone
  • Implementing a SOCKS5 proxy for covert communication and package delivery
  • Capturing screenshots
  • Sending mass SMS messages from the device to specified recipients
  • Retrieving contacts stored on the device
  • Sending, reading, deleting, and blocking notifications for SMS messages received by the device
  • Scanning the device for files of interest to exfiltrate
  • Locking the device screen and displaying a persistent ransom note
  • Submitting USSD code requests to query bank balances
  • Capturing GPS data and pedometer statistics
  • Implementing a keylogger to steal credentials
  • Monitoring active apps to mimic and perform overlay attacks
  • Stopping malicious functionality and removing the malware from the device
Anubis classes hiding inside fake app
Source: Lookout

Like previous versions, the newest Anubis detects if the compromised device has Google Play Protected enabled and pushes a fake system alert to trick the user into disabling it.

This deactivation gives the malware full access to the device, and the freedom to send and receive data from the C2 without any interference.

Tricking a user into disabling Google Play Protect
Source: Lookout

Distribution mechanisms

The actors attempted to submit an “fr.orange.serviceapp” package to the Google Play store in July 2021, but the app was rejected.

Lookout believes this was just an attempt to test Google’s anti-malware detectors, as threat actors only partially implemented the obfuscation scheme.

This apps optimization and obfuscation is ongoing, concerning both the C2 communications and the app’s code.

The distribution of the fake Orange app is currently taking place via malicious websites, direct messages on social media, smishing, and forum posts.

Anubis communication with the C2
Source: Lookout

Lookout’s threat researcher Kristina Balaam told Bleeping Computer that this campaign isn’t targeting only French customers of Orange S.A., but American users as well.

While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting US banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust, and Wells Fargo.

The actor behind recent campaign

There is no concrete information on the actors who currently distribute Anubis, as they were careful enough to hide their C2 infrastructure registration trace.

The actor uses Cloudflare to redirect all network traffic through SSL, while the C2 masquerades as a cryptocurrency trading website using the domain “hhtps://quickbitrade[.]com”.

Fake crypto-trading sites used in recent Anubis campaign
Source: Lookout

The communications between Anubis and the C2 aren’t properly secured yet, but the admin panel area is beyond reach.

Considering that Anubis code circulates numerous underground hacking forums, the number of hackers using it is large, and making connections with threat actor online personas is complicated.

Customers of Orange S.A. are advised to only source the app from the telco’s official website or the Google Play store.

Additionally, pay attention to the requested permissions before granting your approval whenever you download and install an app.

(source: https://www.bleepingcomputer.com/news/security/anubis-android-malware-returns-to-target-394-financial-apps/)

Table of Contents