Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Uncategorized

Researchers Find 17,490 Anubis Android Malware Samples

Two related servers were recently found hosting 17,490 samples of the same Android malware, Trend Micro’s security researchers say.

Two related servers were recently found hosting 17,490 samples of the same Android malware, Trend Micro’s security researchers say.

Dubbed Anubis, the mobile malware has received numerous updates since first observed last year, evolving from a cyber-espionage tool to banking malware. Both information theft and ransomware-like routines were found in it. 

In mid-January of 2019, Anubis was seen leveraging motion-based sensors for sandbox evasion and used overlays to steal sensitive user information.

The 17,490 Anubis samples uncovered contain two labels, namely “Operator Update” and “Google Services,” likely used as social engineering lures to trick users into downloading an Anubis-embedded app.

Samples containing the Operator Update label were found to pack information-stealing capabilities similar to those of the malware’s previous iterations, Trend Micro reveals.

The Trojan can take screenshots, control the device remotely via virtual network computing (VNC), record audio, send/receive/delete SMS, enable or configure device administration settings, get the device’s running tasks, steal contact list, open a specified URL, disable Google Play Protect, lock the device’s screen, start or initiate USSD, encrypt files, find files, get the device’s location, and retrieve remote control commands from social media channels like Twitter and Telegram.

The malware can hijack a specified Activity (where an app starts its process), monitors targeted apps to overlay fake pages and steal user information or payment data, monitors notifications, and can send information strings contained in the notification to the command and control (C&C) server.

These Anubis samples have a list of 188 banking- and finance-related apps to steal user information from. Many of these apps are in Poland, Australia, Turkey, Germany, France, Italy, Spain, U.S., and India. 

Advertisement. Scroll to continue reading.

The Anubis variant with the Google Services label also contains information-stealing and environment-detecting capabilities.

The malware’s C&C servers are distributed across different countries, some abusing a cloud service, while others abusing an Internet data center (IDC) server. The malware operators are also using social media channels like Twitter and Google short links to send commands since 2014. 

The registration date of one of the accounts suggests the attacker has probably been active for about 12 years.

“The sheer amount of samples we uncovered reflect how Anubis’ authors and operators are actively using their malware. Users should always practice security hygiene when installing apps, especially when the mobile devices are used in BYOD environments,” Trend Micro underlines. 

Related: New Strain of Android Malware Found on Third-Party App Store

Related: Exodus Android Spyware With Possible Links to Italian Government Analyzed

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Management & Strategy

Anna Tutt, CMO of Oort, shares her experiences and perspectives on how we can accelerate growth of women in cybersecurity.

Cyberwarfare

The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Ransomware

A new CISA pilot program to warn critical infrastructure organizations if their systems are unpatched against vulnerabilities exploited in ransomware attacks.

Cybersecurity Funding

B2B payment security provider NsKnox raised $17 million in a new funding round that brings the total raised by the company to $35.6 million.

Cybersecurity Funding

Silk Security raised $12.5 million in seed funding and is on a mission to break down the silos between security and development with an...

Uncategorized

ICS Patch Tuesday: Siemens and Schneider Electric have published more than a dozen advisories addressing over 200 vulnerabilities.

Uncategorized

Exploitation of a critical vulnerability (CVE-2023-46747) in F5’s  BIG-IP product started less than five days after public disclosure and PoC exploit code was published.

Uncategorized

Thomas McCormick, aka fubar, an administrator of the Darkode hacking forum, has been sentenced to 18 months in prison.