Cybercriminals organized a phishing campaign aimed at users of Android devices, during which they infect smartphones and tablets with the Anubis banking trojan. The malware is able to steal financial information from more than 250 banking and shopping apps.
Attackers send phishing emails to victims with a built-in link that downloads an APK file disguised as an invoice. When an email link is opened from an Android device, an APK file is downloaded. After opening the file, the user is supposedly invited to enable “Google Play Protect”, but instead the user gives the application all the necessary permissions, while disabling the security service.
Once on an Android device, Anubis begins to collect information about installed applications and compares the results with a list of target programs. Anubis is mainly focused on banking and financial applications, but is also looking for popular shopping programs such as eBay or Amazon.
As soon as Anubis discovers the necessary program, it replaces the original authorization window with a fake one in order to steal user credentials.
During the malware analysis, Cofense experts found that the banking trojan has various functions, including capturing screenshots, disabling and changing administration settings, disabling the Google Play Protect built-in protection, recording sound, making calls and sending SMS messages, accessing contacts in the address book, receiving commands from operators via Telegram and Twitter, controlling the device through the VNC desktop remote access system, etc.
Malicious software also contains a keylogger that can intercept keystrokes from any application installed on a compromised Android device. However, this module must first be activated by operators using a command from a C&C server.
Anubis can also encrypt files in internal storage and on external drives using a special ransomware module, adding the .AnubisCrypt extension to encrypted files and sending them to a C&C server.