We haven’t heard much about Anubis in recent months. Anubis is the nasty Android-based banking Trojan that has made headlines on more than one occasion.
If history is any guide at all Anubis will soon be making headlines again. It’s back and based on the findings from researchers at Lookout the hackers controlling the malware mean business.
Anubis has been around since at least 2016 when its source code appeared on a variety of Russian hacking forums. Some open-source projects don’t get much love but Anubis has received regular updates that have kept it current and made it more dangerous than ever. Although it’s been a while since the malware was used in a major campaign there are warning signs that things are about to change.
As an example, in 2019 a copy of Anubis was found embedded in an app in the Google Play Store with a not quite functional ransomware module. It was probably placed there as a test. In 2020 Anubis briefly resurfaced courtesy of a large-scale phishing campaign that targeted more than 250 shopping and banking apps.
The Lookout researchers were able to grab a copy of the malware they found circulating in the wild. Based on their findings the newly enhanced malware will be used in a large-scale campaign that will target nearly 300 apps.
Additionally, its latest improvements leave it with the following capabilities:
- Recording screen activity and sound from the microphone
- Implementing a SOCKS5 proxy for covert communication and package delivery
- Capturing screenshots
- Sending mass SMS messages from the device to specific recipients
- Retrieving contacts stored on the device
- Sending, reading, deleting, and blocking notifications for SMS messages received by the device
- Scanning the device for files of interest to exfiltrate
- Locking the device screen and displaying a persistent ransom note
- Submitting USSD code requests to query bank balances
- Capturing GPS data and pedometer statistics
- Implementing a keylogger to steal credentials
- Monitoring active apps to mimic and perform overlay attacks
- Stopping malicious functionality and removing the malware from the device
In other words, Anubis appears to be back from the dead and the coming months will probably be interesting as if we needed that!