Anubis Android malware is back, and going after your banking apps

(Image credit: Iaremenko Sergii / Shutterstock)

Security researchers have uncovered a new cybercrime campaign using the notorious Anubis banking malware.

According to security frm Lookout, the malware, which first surfaced in 2016, has returned and is targeting customers of almost 400 financial institutions, cryptocurrency wallets, and virtual payment platforms.

Investigating a dangerous new mobile virus campaign, Lookout researchers discovering a modified version of Anubis being distributed through a novel way - by stealing the identity of one of the biggest telecommunication service providers in France - Orange S.A, and presenting itself as its "official" account management application.

Under threat

Anubis is a banking Trojan that collects valuable finance-related data such as SMS messages from the victim, but is also able to log keys, exfiltrate files, monitor the screen, harvest GPS data, and take advantage of other accessibility services enabled on the device.

However, to do all that, it often needs to ensure the device owner enables third-party apps. If Anubis detects that the device has Google Play Protected enabled, it will push a fake system alert to try and deceive the user into disabling it. Only after Google Play Protected is disabled, does Anubis get full access to the target device and the ability to do the abovementioned actions.

Very little is known about the creators of Anubis, or the malicious actors behind the latest distribution campaign. According to multiple media sources, the actor behind the Trojan is known as Maza-In, and was arrested by Russian authorities back in 2019. However, the malware did get a few updates at a later date, and in 2020, returned through large-scale phishing campaigns, when it went after 250 shopping and banking apps.

One of the versions even came with an “almost-functional” ransomware module, as it enabled the attackers to encrypt the data on the target device. However, there’s no record of Anubis being used in the wild as a ransomware. 

  • You might also want to check out our list of the best firewalls right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.