web analytics

Anubis Android Malware Returns with Over 17,000 Samples

By: Tony Bao (Mobile Threats Analyst)

The 2018 mobile threat landscape had banking trojans that diversified their tactics and techniques to evade detection and further monetize their malware — and in the case of the Anubis Android malware, retooled for other malicious activities. Anubis underwent several changes since it first emerged, from being used for cyberespionage to being retooled as a banking malware, combining information theft and ransomware-like routines. In mid-January of 2019, we saw Anubis use a plethora of techniques, including the use of motion-based sensors to elude sandbox analysis and overlays to steal personally identifiable information.

The latest samples of Anubis (detected by Trend Micro as AndroidOS_AnubisDropper) we recently came across are no different. While tracking Anubis’ activities, we saw two related servers containing 17,490 samples.


Figure 1. Anubis’ infection chain

Uncovering 17,490 Anubis Samples
We used the following samples (SHA-256) to analyze Anubis and further track this threat’s activities:

  • 30b0b3b0d4733f3b94517ab4e407214e82abf6aad3adf918717ff842e28d672f
  • 451194f0d9b902b6763762023ca02f6539fc72276347b8a8aed3a901bece4892

These Anubis variants request the following URLs and parse an XML file to download a malicious app:

  • hxxp://markuezdnbrs[.]online/deneme/api[.]php?xml=8c6c029e-153b-41e1-a061-2699a45b69f9
  • hxxp://successiondar[.]xyz/continuing/resigned[.]php?xml=7e393286-925c-41f4-ac81-b7e2625473d0

The malicious Android application packages (APKs) will be retrieved from these URLs:

  • hxxp://markuezdnbrs[.]online/deneme/apk/6928[.]apk
  • hxxp://successiondar[.]xyz/continuing/kan/5425[.]apk

Checking on other Anubis-related URLs, we uncovered that they hosted 17,490 samples:

  • hxxp://markuezdnbrs[.]online/deneme/apk/[0-7810] [.]apk
  • hxxp://successiondar[.]xyz/continuing/kan/[2-9680] [.]apk

We found two labels in these samples: “Operatör Güncellemesi” and “Google Services.” In Turkish, Operatör Güncellemesi means “Operator Update.” These labels are probably social engineering lures used to trick unwitting users into downloading an Anubis-embedded app.


Figure 2. Code snippets showing Anubis dropper’s request URLs (highlighted)


Figure 3. Screenshot showing Anubis samples

Technical Analysis
The samples bearing specific labels appear to have different routines from others. We analyzed an Anubis variant with the Operatör Güncellemesi label (SHA-256: 6079af3bab8bb0ba445cd0dd896d8c8d7845da3757755b4ef3af584d227e0490) and found that its information-stealing capabilities are similar to those of the malware’s previous iterations:

  • Take screenshots of the infected device’s screen
  • Remotely control the device via virtual network computing (VNC)
  • Record audio
  • Send, receive, and delete SMS
  • Enable or configure device administration settings
  • Get the device’s running tasks
  • Steal the device’s contact list
  • Open a specified URL
  • Disable Google Play Protect
  • Lock the device’s screen
  • Start or initiate unstructured supplementary service data (USSD), which is the technology used to send text messages between a mobile device and application
  • Encrypt files, including those stored on the SD card (as AnubisCrypt)
  • Find or locate files
  • Get the device’s location
  • Retrieve remote control commands from social media channels like Twitter and Telegram

Anubis is also capable of hijacking a specified Activity (where an app starts its process). Anubis monitors the activity of the targeted apps (Figure 5 and Table 1), and once it determines that these apps are open or being used, the attacker can abuse the WebView feature to display the apps’ content on a web page. This can then be used to carry out overlay techniques to steal payment data or used as an attack vector for phishing. Anubis can also monitor notifications and send the information strings contained in the notification to the C&C server.

These iterations of Anubis have a list of targeted financial apps from which it steals personal and financial data, as shown in Figure 5 and Table 1. Like its previous versions, these new variants can still detect if they are being tested on virtual machines via motion-based sensors. It can also detect if it is being run on an Android emulator (e.g., Genymotion or x86-based machines).

Anubis targets a total of 188 banking- and finance-related apps, many of which are in Poland, Australia, Turkey, Germany, France, Italy, Spain, U.S., and India (see Figure 6 for the geographical distribution of the finance-related apps it targets).


Figure 4. Anubis sample with the Operatör Güncellemesi label


Figure 5. Code snippet showing the financial apps targeted by Anubis

Package NameDescription
com.orangefinanseKompakt Finanse produkty bankowe dostarcza mBank
pl_pl.ceneoThe largest price comparison app in Poland
may.maybank.androidMalayan Banking Berhad

Table 1. Other newly added apps targeted by Anubis


Figure 6. The geographical distribution of finance-related apps targeted by Anubis

We analyzed a sample of the Anubis variant with the Google Services label (SHA-256: 77a602217b272955ca255634da9a9736431ac6e244b104fd2bb6656f99ab6cab) and found that it first had to be unpacked. The samples with this label had information-stealing and environment-detecting capabilities, similar to those with the Operatör Güncellemesi label.


Figure 7. A sample of Anubis with the Google Services label

Correlating Anubis’ Command-and-Control (C&C) Communications
Anubis’ C&C servers are distributed across different countries. Some are deployed by abusing a cloud service, while some abuse an internet data center (IDC) server. Figure 8 shows the domains where Anubis downloads the payloads.


Figure 8. Anubis’ C&C infrastructure, including the domains where it retrieves the payload

Further tracking Anubis’ C&C activities, we found that its operators have been using social media channels like Twitter (with the attacker-owned Twitter accounts’ followers mostly using Turkish) and Google short links to send commands since 2014. According to one of the accounts’ registration date, the attacker has probably been active for about 12 years.


Figure 9. Twitter accounts abused by Anubis’ operators to issue C&C commands and ways they abused Google short links for C&C communications

The sheer amount of samples we uncovered reflect how Anubis’ authors and operators are actively using their malware. Users should always practice security hygiene when installing apps, especially when the mobile devices are used in BYOD environments.

End users and enterprises can also benefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for Android™ (available on Google Play). Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that exploit vulnerabilities, prevents unauthorized access to apps, and detects and blocks malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies, protecting devices against malware, zero-day and known exploits, privacy leaks, and application vulnerabilities.

Indicators of Compromise (IoCs):
Hashes related to Anubis (SHA-256) detected as AndroidOS_AnubisDropper:

  • 9046270d735579bcedb6bb7c0a2ad21f9b5ef9432e46e733b36de964aecd3abc (labeled Operatör Güncellemesi)
  • 6079af3bab8bb0ba445cd0dd896d8c8d7845da3757755b4ef3af584d227e0490 (labeled Operatör Güncellemesi)
  • 1acca6953081cfc12d5cbeda1990b93b3298b1adc3c6ffad624e454f5854736f (labeled Google Services)
  • f767baadda60c618d7e14461831e7371a54cdf152b1fd5eb52a8aa4bb7300227 (labeled Google Services)

Domains related to Anubis’ C&C activities:

  • hxxp://demo[.]website[.]com/
  • hxxp://ktosdelaetskrintotpidor[.]com
  • hxxp://marksteylor[.]us/
  • hxxp://sositehuypidarasi[.]com
  • hxxps://blackleaf[.]top
  • hxxps://firstdoxed[.]space
  • hxxps://lskbfidsbvkjsfgakfjsdffsdfupdate[.]net
  • hxxps://lskbfidsbvkjsfgakfjsdffsdfupdate[.]net/o1o/a16[.]php
  • hxxps://ndudetto[.]top
  • hxxps://playclints1[.]space
  • hxxps://sositehuypidarasi[.]com
  • hxxps://t[.]me/newpaparoni
  • hxxps://t[.]me/thethe123
  • hxxps://t[.]me/unite11

The post Anubis Android Malware Returns with Over 17,000 Samples appeared first on .