Security Experts:

Connect with us

Hi, what are you looking for?



Researchers Find 17,490 Anubis Android Malware Samples

Two related servers were recently found hosting 17,490 samples of the same Android malware, Trend Micro’s security researchers say.

Two related servers were recently found hosting 17,490 samples of the same Android malware, Trend Micro’s security researchers say.

Dubbed Anubis, the mobile malware has received numerous updates since first observed last year, evolving from a cyber-espionage tool to banking malware. Both information theft and ransomware-like routines were found in it. 

In mid-January of 2019, Anubis was seen leveraging motion-based sensors for sandbox evasion and used overlays to steal sensitive user information.

The 17,490 Anubis samples uncovered contain two labels, namely “Operator Update” and “Google Services,” likely used as social engineering lures to trick users into downloading an Anubis-embedded app.

Samples containing the Operator Update label were found to pack information-stealing capabilities similar to those of the malware’s previous iterations, Trend Micro reveals.

The Trojan can take screenshots, control the device remotely via virtual network computing (VNC), record audio, send/receive/delete SMS, enable or configure device administration settings, get the device’s running tasks, steal contact list, open a specified URL, disable Google Play Protect, lock the device’s screen, start or initiate USSD, encrypt files, find files, get the device’s location, and retrieve remote control commands from social media channels like Twitter and Telegram.

The malware can hijack a specified Activity (where an app starts its process), monitors targeted apps to overlay fake pages and steal user information or payment data, monitors notifications, and can send information strings contained in the notification to the command and control (C&C) server.

These Anubis samples have a list of 188 banking- and finance-related apps to steal user information from. Many of these apps are in Poland, Australia, Turkey, Germany, France, Italy, Spain, U.S., and India. 

The Anubis variant with the Google Services label also contains information-stealing and environment-detecting capabilities.

The malware’s C&C servers are distributed across different countries, some abusing a cloud service, while others abusing an Internet data center (IDC) server. The malware operators are also using social media channels like Twitter and Google short links to send commands since 2014. 

The registration date of one of the accounts suggests the attacker has probably been active for about 12 years.

“The sheer amount of samples we uncovered reflect how Anubis’ authors and operators are actively using their malware. Users should always practice security hygiene when installing apps, especially when the mobile devices are used in BYOD environments,” Trend Micro underlines. 

Related: New Strain of Android Malware Found on Third-Party App Store

Related: Exodus Android Spyware With Possible Links to Italian Government Analyzed

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.


Privacy experts have said they fear pregnancies could be surveilled and the data shared with police or sold to vigilantes.


Regularly rebooting smartphones can make even the most sophisticated hackers work harder to maintain access and steal data from a phone


Google has removed roughly 1,700 unique applications from its Google Play app store that were part of a family of potentially unwanted programs. 


An Italy-based firm's hacking tools were used to spy on Apple and Android smartphones in Italy and Kazakhstan, Google said Thursday, casting a light...


Microsoft on Tuesday released its November 2017 security updates to resolve 53 vulnerabilities across products, including a security bug that has impacted all versions...


Google this week has revealed that Android Enterprise has received ISO 27001 security certification.