7 February 2020

Clever phishing campaign aimes to infect Android users with Anubis banking trojan


Clever phishing campaign aimes to infect Android users with Anubis banking trojan

A new phishing campaign has been detected that attempts to infect Android devices with a nasty piece of malware capable of stealing financial information from more than 250 banking and shopping applications, researchers at Cofense warned.

The phishing campaign specifically targets Android devices with unsigned Android applications that are permitted on the device. The malware in question is the Anubis trojan that initially was used for cyber espionage, but over the years has morphed into banking trojan. Anubis is able to completely hijack an Android mobile device, steal data, record phone calls, and even hold the device to ransom by encrypting the victim’s personal files.

“This version of Anubis is built to run on several iterations of the Android operating system, dating back to version 4.0.3, which was released in 2012,” the researchers said.

The malware is delivered via a malicious link embedded within the phishing email that will download an APK file camouflaged as an invoice.

The interesting part of this campaign is the clever trick that attackers use to persuade the potential victims to install the malware on their devices: the user is asked to enable Google Play Protect, which in reality is not a genuine “Google Play Protect” screen, instead it grants the malicious app all needed permissions while simultaneously disabling the actual Google Play Protect.

The analysis of the malicious code revealed that the application collects a list of installed applications and compares the results against a list of targeted applications. The malware mainly targets banking and financial applications, but also looks for popular shopping apps such as eBay or Amazon (a full list of targeted applications is provided in IoC section in the Cofense report).

Once a user opens an app, Anubis overlays the original application with a fake login page to capture the user’s credentials.

Anubis comes with a wide range of functions, including:

Capturing screenshots

Enabling or changing administration settings

Opening and visiting any URL

Disabling Play Protect

Recording audio

Making phone calls

Stealing the contact list

Controlling the device via VNC

Sending, receiving and deleting SMS

Locking the device

Encrypting files on the device and external drives

Searching for files

Retrieving the GPS location

Capturing remote control commands from Twitter and Telegram

Pushing overlays

Reading the device ID

Additionally, the banking trojan includes a keylogger that can capture keystrokes from every app on the devise, although keylogging functionality has to be specifically enabled by a command sent from the attackers’ command and control server.

The malware also incorporates a ransomware component that encrypts files in both internal and external storage and adds the file extension .AnubisCrypt. It then sends each encrypted file to an attacker-controlled server.

“Android malware has been around for many years and will be with us for the foreseeable future. Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise,” the report concludes.

Back to the list

Latest Posts

500 Chrome extensions secretly pilfered data from millions of users

500 Chrome extensions secretly pilfered data from millions of users

The extensions were part of a malvertising and ad-fraud campaign that has been active since at least since January 2019.
14 February 2020
Hamas-linked hackers target victims in Palestinian territories

Hamas-linked hackers target victims in Palestinian territories

The hackers exploit current geopolitical events to spy on Palestinian entities and individuals.
13 February 2020
The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The group used a combination of pre-existing tools and new techniques to monitor for programs that could detect its malware.
13 February 2020