< All Topics Main Cyber-attacks Anubis Android malware returns to target 394 financial apps Print Anubis Android malware returns to target 394 financial apps PostedDecember 16, 2021 UpdatedDecember 16, 2021 ByAdministrator The Anubis Android banking malware is now targeting the customers of nearly 400 financial institutions in a new malware campaign.The threat actors target financial institutions, cryptocurrency wallets, and virtual payment platforms by impersonating an Orange S.A. Android app that attempts to steal login credentials.The report comes from researchers at Lookout, who note that the malicious campaign is still in the testing and optimization phase.An old but potent threatAnubis first appeared on Russian hacking forums in 2016, shared as an open-source banking trojan with instructions on implementing its client and components.In the years that followed, Anubis received further development work, and its newer code continued to be openly shared between actors.In 2019, the malware added what appeared to be an almost functional ransomware module and found its way into Google’s Play Store through fake apps.In 2020, Anubis returned through large-scale phishing campaigns, targeting 250 shopping and banking apps.Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app’s login screen to make victims think it’s a legitimate login form when in reality, inputted credentials are sent to the attackers.Anubis phishing login form overlaySource: LookoutIn the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:Recording screen activity and sound from the microphoneImplementing a SOCKS5 proxy for covert communication and package deliveryCapturing screenshotsSending mass SMS messages from the device to specified recipientsRetrieving contacts stored on the deviceSending, reading, deleting, and blocking notifications for SMS messages received by the deviceScanning the device for files of interest to exfiltrateLocking the device screen and displaying a persistent ransom noteSubmitting USSD code requests to query bank balancesCapturing GPS data and pedometer statisticsImplementing a keylogger to steal credentialsMonitoring active apps to mimic and perform overlay attacksStopping malicious functionality and removing the malware from the deviceAnubis classes hiding inside fake appSource: LookoutLike previous versions, the newest Anubis detects if the compromised device has Google Play Protected enabled and pushes a fake system alert to trick the user into disabling it.This deactivation gives the malware full access to the device, and the freedom to send and receive data from the C2 without any interference.Tricking a user into disabling Google Play ProtectSource: LookoutDistribution mechanismsThe actors attempted to submit an “fr.orange.serviceapp” package to the Google Play store in July 2021, but the app was rejected.Lookout believes this was just an attempt to test Google’s anti-malware detectors, as threat actors only partially implemented the obfuscation scheme.This apps optimization and obfuscation is ongoing, concerning both the C2 communications and the app’s code.The distribution of the fake Orange app is currently taking place via malicious websites, direct messages on social media, smishing, and forum posts.Anubis communication with the C2Source: LookoutLookout’s threat researcher Kristina Balaam told Bleeping Computer that this campaign isn’t targeting only French customers of Orange S.A., but American users as well.While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting US banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust, and Wells Fargo.The actor behind recent campaignThere is no concrete information on the actors who currently distribute Anubis, as they were careful enough to hide their C2 infrastructure registration trace.The actor uses Cloudflare to redirect all network traffic through SSL, while the C2 masquerades as a cryptocurrency trading website using the domain “hhtps://quickbitrade[.]com”.Fake crypto-trading sites used in recent Anubis campaignSource: LookoutThe communications between Anubis and the C2 aren’t properly secured yet, but the admin panel area is beyond reach.Considering that Anubis code circulates numerous underground hacking forums, the number of hackers using it is large, and making connections with threat actor online personas is complicated.Customers of Orange S.A. are advised to only source the app from the telco’s official website or the Google Play store.Additionally, pay attention to the requested permissions before granting your approval whenever you download and install an app.(source: https://www.bleepingcomputer.com/news/security/anubis-android-malware-returns-to-target-394-financial-apps/)