A new phishing campaign has been detected that attempts to infect Android devices with a nasty piece of malware capable of stealing financial information from more than 250 banking and shopping applications, researchers at Cofense warned.
The phishing campaign specifically targets Android devices with unsigned Android applications that are permitted on the device. The malware in question is the Anubis trojan that initially was used for cyber espionage, but over the years has morphed into banking trojan. Anubis is able to completely hijack an Android mobile device, steal data, record phone calls, and even hold the device to ransom by encrypting the victim’s personal files.
“This version of Anubis is built to run on several iterations of the Android operating system, dating back to version 4.0.3, which was released in 2012,” the researchers said.
The malware is delivered via a malicious link embedded within the phishing email that will download an APK file camouflaged as an invoice.
The interesting part of this campaign is the clever trick that attackers use to persuade the potential victims to install the malware on their devices: the user is asked to enable Google Play Protect, which in reality is not a genuine “Google Play Protect” screen, instead it grants the malicious app all needed permissions while simultaneously disabling the actual Google Play Protect.
The analysis of the malicious code revealed that the application collects a list of installed applications and compares the results against a list of targeted applications. The malware mainly targets banking and financial applications, but also looks for popular shopping apps such as eBay or Amazon (a full list of targeted applications is provided in IoC section in the Cofense report).
Once a user opens an app, Anubis overlays the original application with a fake login page to capture the user’s credentials.
Anubis comes with a wide range of functions, including:
Capturing screenshots
Enabling or changing administration settings
Opening and visiting any URL
Disabling Play Protect
Recording audio
Making phone calls
Stealing the contact list
Controlling the device via VNC
Sending, receiving and deleting SMS
Locking the device
Encrypting files on the device and external drives
Searching for files
Retrieving the GPS location
Capturing remote control commands from Twitter and Telegram
Pushing overlays
Reading the device ID
Additionally, the banking trojan includes a keylogger that can capture keystrokes from every app on the devise, although keylogging functionality has to be specifically enabled by a command sent from the attackers’ command and control server.
The malware also incorporates a ransomware component that encrypts files in both internal and external storage and adds the file extension .AnubisCrypt. It then sends each encrypted file to an attacker-controlled server.
“Android malware has been around for many years and will be with us for the foreseeable future. Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise,” the report concludes.