Anubis is back. Yes, you heard absolutely correct. Anubis is back on track. Let’s understand what it is, it’s functioning, working and consequences in detail.
Here is a glimpse into the Android banking Trojan’s capabilities.
Anubis is a credential-stealing malware that predominantly targets Turkish users. It is a malware family known as Anubis and has successfully come back to tracking Google Play Store in the past few months. Over 17,000 new samples of information-stealing malware have been discovered with an extensive target on the financial apps list. Thousands of new samples are targeting a total of 188 banks and finance-related apps. The main attacker behind Anubis is active from the last 12 years and to regain its control, it has retooled the malware for use in recent attack waves. The Anubis banking Trojan is often found in phishing and social engineering campaigns in which people are made to download malicious apps containing malware. Anubis is intended to steal private SMS messages, videos, photos, email accounts, contacts, calendar events, and browser histories from Samsung Internet Browser and chrome. It can also disable Google play protect. Also, it is capable of taking screenshots, spy on the victims, recording audio, locking the device’s screen, and encrypting files. It basically targets Android users via malicious apps that are easily available on the Google Play Store. In the infected android devices, this Trojan steals financial information from banking apps and essential login credentials.
What are the capabilities of Anubis Trojan?
- Anubis is capable to rob personal SMS messages, photos, videos, contact details, email accounts information, calendar events details, and browser histories from Chrome and Samsung Internet Browser.
- It can record audios and take screenshots.
- It can keep an eye on the victims via the malicious apps installed on the Android device.
- These banking Trojan can run commands.
- They can delete files on the device.
- Anubis can install and uninstall APKs, also have the ability to self-destruct.
- It can disable Google Play Protect and lock the device’s screen.
- It can configure or enable device administration settings.
- It is also capable of encrypting files.
Anubis versions The Anubis Trojan’s first variant named as “Anubis II” was first discovered in the end months of 2017. One year after, in December 2018, the threat actors behind Anubis, announced the release of another version Anubis 2.5. A post to sell malware named Anubis 3 was created by an attacker on an underground forum in March 2019. Anubis mainly targets Turkish speaking mobile users via at least 10 fake apps available in the official Google Play Store. Financial frauds are facilitated by stealing login credentials, once after these apps download the Anubis Trojan on the infected device. Anubis distributed via Google Play apps A new variant was spotted across 93 different countries in which Trojan distinguished as two Android apps in January 2019. These two Android apps were “BatterySaverMobi” and “Currency Converter”. Once installed, these malicious apps focus to grant permission for access to user’s phones and through this, try to steal account information by keylogging. PayPal’s credentials were stolen in April 2019 as a security researcher stated. All files are encrypted on an external medium and lock the infected device with a black screen. All encrypted files are appended with an. AnubisCrypt extension. Trojan collects PayPal credentials by taking screenshots when users enter their credentials into malicious apps. Information stealing and environment detection are activated. Anubis tracked activities saw two related servers containing a total of 17,490 samples.
How does Anubis android banking Trojan work?
A payload known as Trojan is designed to steal banking credentials, provide its masters with a RAT backdoor, and send SMS spam among other things. This payload is the main activator behind the app’s malicious behavior. Once the Anubis banking Trojan is dropped by a malware downloader on the compromised device, it directly or indirectly starts collecting banking information. Information is collected either by taking screenshots or with the help of an inbuilt key logger module. Screenshots are taken when the user inserts credentials into apps, irrespective of all other banking Trojans known to use overlay screens for the same task. Anubis samples with ransomware features are not new in attacking the market, with the capability to encrypt files using an. Anubiscrypt file extension. Ransomware component which is already built-in encrypts user files and gives them. Anubiscrypt file extension. This Trojan runs on a phone, where the backup is less common than a laptop or desktop and is more likely to have valuable data and personal photos too. Anubis is still in renovation phase, Anubis masters are still actively adding new features at their malware. This addition and development might take some more time.
Precautions which can be taken to prevent chances of Anubis on your device
Android users are recommended to enable Google Play Protect on your device. Also, be aware of malicious apps on Google Play Store. Check out the detailed permission page before admitting with all access permissions to the concerned app. Precaution is the only prevention for Anubis banking Android Trojan.