The reemerging Anubis Android banking malware targets individuals of over 300 financial mobile applications in a new malware campaign. The operators of Anubis were noticed by researchers targeting cryptocurrency wallets, virtual payments, and financial institutions. Moreover, the threat actors spoof an Orange S.A. Android application to steal sensitive login credentials.
This advisory was given by researchers who noted that the malicious campaign conducted by Anubis is still in the trial and developmental stage.
The researchers explained that the Anubis malware would portray fake phishing logins forms when users access the app for targeted platforms to exfiltrate credentials. This overlay will then be displayed over the application’s login screen to deceive victims so they will not hesitate to put their information. After accomplishing the login screen, the entered credentials are sent back to the infrastructure of the threat actors.
This latest version of the reemerged Anubis threat group displayed numerous capabilities such as screen recording, implanting proxy communication, screenshotting, sending SMS, access to messages, device scanning, and submitting USSD code requests inquire bank account balances, monitoring active apps, and more.
Similar to Anubis’ previous version, the new one detects if the infected device has Google Play Protected access and pushes a fake system alert to deceive the user into turning it off. When the user deactivates Google Play Protected, the Anubis malware will obtain full access to the device. It can operate the flow of messages from the command-and-control system without disturbance.
The Anubis malware threat actors who targeted financial apps are still unidentified.
Researchers stated that there is no current information on the actors distributing the Anubis malware, as they were very elusive in hiding while targeting financial apps. However, the researchers identified that the threat actors of Anubis utilise Cloudflare to redirect all network visits through SSL (Secure Socket Layer), while disguising itself as a cryptocurrency trading website.
Researchers also believed that the communication between Anubis and C2 is not protected yet, but the admin panel area is out of reach. Since the Anubis code is widely utilised in hacking forums, the actual developers became complicated to trace, and making connections with the threat actors became impossible.
Users of Orange S.A. are notified to only download the mobile app from the official telecommunication website or Google Play Store. Users should pay attention and closely examine the request before granting permission to avoid any intrusions.