Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus

Mobile Malware App Anubis Strikes AgainContinues to Lure Users Disguised as a Fake Antivirus 

Anubis is an Android banking Trojan created and advertised by a threat actor with the nickname “maza-in”. This malware family has been conducting well-known overlay attacks by combining advanced features such as the capability to stream screens, record sounds, browse files remotely, keylogging abilities, and the capability to function as a network proxy. These features make it an effective banking malware and a potential tool for spying. 

Generally, this malware operates by tricking unsuspecting victims into submitting confidential and sensitive information such as online banking credentials, banking security codes, and Credit Card details. Being a banking Trojan does not mean that the Anubis malware variant will masquerade as a banking app; in most cases, it is disguised as a third-party app. Some of the disguises used by Anubis are fake mobile games, software updates, post/mail apps, flash-player apps, utility apps, fake browsers and even social-network and communication apps. 

The list of malware features of Anubis is shown below: 

  • Overlaying: Static (hardcoded in bot) 
  • Overlaying: Dynamic (C2 based) 
  • Keylogging 
  • Contact list collection 
  • Screen streaming 
  • Sound recording 
  • SMS harvesting: SMS forwarding 
  • SMS blocking 
  • SMS sending 
  • Files/pictures collection 
  • Calls: USSD request making 
  • Ransomware: Cryptolocker 
  • Remote actions: Data-wiping 
  • Remote actions: Back-connect proxy 
  • Notifications: Push notifications 
  • C2 Resilience: Twitter/Telegram C2 update channels 

Some of the common delivery techniques that are used by Anubis malware are: 

  • Google Play campaigns:  
    This includes Bypassing Google Play security mechanisms and spreading the Trojan using the official app store. 
  • Spam campaigns
    This uses SMS or emails with a request to install or update some legitimate application that links to the malware. 
  • Web redirection
    Using advertisement on websites, hacked sites, traffic exchanges lures the victim to a fake landing page containing a malware app. 

In a recent tweet, a security engineer shared information about a fake antivirus android app camouflaged as a well-known antivirus and available from an unsecured web source. When users access the unsecure link available from the search engine for download, it navigates them to an Index page with the file content named as “Avast Antivirus ULTIMATE 2021.apk”, and on selecting it, users can download the APK file.  

On scanning the downloaded file through VirusTotal, it turned out to be a variant of the Banking Trojan Anubis detected by multiple antivirus signatures, as shown in Figure 1. 

Figure 1 VirusTotal Detections of the App 

For further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the application using the digest from the VirusTotal result.  

Figure 2 Information available in the Cyble Threat Intelligence Platform 

Technical Analysis: 

 
Digest used for our analysis: 34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb 
 

Package Name: wocwvy.czyxoxmbauu.slsa 

Main Activity: wocwvy.czyxoxmbauu.slsa.ncec.myvbo 

Upon performing static analysis on the above app, the malware was found to be more like the Cerberus Banking Trojan malware, which also steals victim data to access their bank accounts. The permissions used by this malware are listed below in the Fig. 3 
 

Figure 3 Permissions requested by the app 

After opening the application, it requests users to enable the accessibility service from the settings to enable full access to the app. After that, it lures victims into changing the Accessibility settings on their phones, forbidding them to uninstall the app. Also, through this service, the app executes screen taps and other commands without the user’s knowledge. 

Figure 4 Accessibility service needs to be enabled for the app 

Some of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are listed below: 

Permissions 

  • android.permission.SYSTEM_ALERT_WINDOW 
  • android.permission.GET_TASKS 
  • android.permission.RECEIVE_SMS 
  • android.permission.INTERNET 
  • android.permission.READ_SMS 
  • android.permission.PACKAGE_USAGE_STATS 

Services: 

  • wocwvy.czyxoxmbauu.slsa.lmimy 
  • wocwvy.czyxoxmbauu.slsa.wfveenegvz 
  • wocwvy.czyxoxmbauu.slsa.frvvkgp 
  • wocwvy.czyxoxmbauu.slsa.ukhakhcgifofl 
  • wocwvy.czyxoxmbauu.slsa.jtfxlnc 
  • wocwvy.czyxoxmbauu.slsa.blkzyyyfc 
  • wocwvy.czyxoxmbauu.slsa.whemsbk 
  • wocwvy.czyxoxmbauu.slsa.nepgaqmyfrhw 
  • wocwvy.czyxoxmbauu.slsa.clgqtzqdh 
  • wocwvy.czyxoxmbauu.slsa.usbvhkriufnc 
  • wocwvy.czyxoxmbauu.slsa.egxltnv 
  • wocwvy.czyxoxmbauu.slsa.kldqwysgkfcrmq 
  • wocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.jkeggfql 
  • wocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.nvsdtnxkzjgw 
  • wocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.brtltydqhiuqbb 
  • wocwvy.czyxoxmbauu.slsa.xelytgswelv 
  • wocwvy.czyxoxmbauu.slsa.mvqkjokaxfrpf 
  • wocwvy.czyxoxmbauu.slsa.wahiuolww 
  • wocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.cpysnikhf 
  • wocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.wifu 
  • wocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.dshd 
  • wocwvy.czyxoxmbauu.slsa.kuv.sfswwunyakpjr 
  • wocwvy.czyxoxmbauu.slsa.ttiegryczsx 
  • wocwvy.czyxoxmbauu.slsa.blyvffs 

Receivers: 

  • wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.cmtstflxlxb 
  • wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.qpgopfninoaazln 
  • wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hypihteeavv 
  • wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hwfe 

Intent Filters by Action: 

  • android.intent.action.RESPOND_VIA_MESSAGE 
  • android.accessibilityservice.AccessibilityService 
  • android.intent.action.MAIN 
  • android.intent.action.SEND 
  • android.intent.action.SENDTO 
  • android.provider.Telephony.WAP_PUSH_DELIVER 
  • android.provider.Telephony.SMS_DELIVER 
  • android.intent.action.PACKAGE_ADDED 
  • android.intent.action.PACKAGE_REMOVED 
  • android.provider.Telephony.SMS_RECEIVED 
  • android.net.conn.CONNECTIVITY_CHANGE 
  • android.net.wifi.WIFI_STATE_CHANGED 

Using the above permissions granted by users, the following activities are performed in the users’ devices: 

  1. The app tries to get the accessibility permission for UI automation 

Figure 5 Starts Activity based on Accessibility permission 

  1. The malware makes the device ignore battery Optimization 

Figure 6 Checks for package and ignores Battery Optimization 

  1. It will disable the administrator user access through the device policy manager 

Figure 7 Removing Active Admin User 

  1. The malware runs a query to get the list of currently running apps along with the most recent running apps 

Figure 8 Stores the list of recent running apps 

  1. The malware protects itself from being removed or uninstalled and stays hidden from the application launcher 

Figure 9 Hides from the application launcher through package manager 

  1. Monitors incoming text messages and creates data through PDU 

Figure 10 Gets Inflow of text messages 

  1. Gets phone contact information from the victim’s device 

Figure 11 Queries the Phone contacts 

All the data collected from the devices are then sent to the C2 link, which seems to be encrypted in this app, and the encryption technique used is AES along with the key, as shown below in the Fig. 12.lo 

Figure 12 Encryption Technique used 

Following are the ways in which the above encryption techniques are used in multiple classes and methods, as shown in Fig. 13. 

Figure 13 Uses of the Encryption Technique 

On decrypting the above string and on performing the Dynamic analysis on the same, we found that the collected data is sent to the well-known C2 link of the Anubis variant. 
 
C2 link: hxxp://darkweb[.]bitcoingen[.]store//o1o/a16[.]php 

Under normal circumstances, before downloading, users can identify whether an APK is authentic or fake based on the following criteria:  
 

  1. Source of the file (Secure/Not secure) is a good indicator of whether the app is genuine or fake. For instance, before downloading an application from an unkown source such as a web URL, it is important to check if the source is secure. 
  1. Size of the app. For example, the size of a fake app is less when compared with an authentic one. 
  1. Spelling errors or Icon mismatches can also help distinguish fake apps from genuine ones. 

By these parameters, the APK downloaded from the provided URL was identified as a fake app. In addition, the size of the downloaded app is around 500 KB, while commonly, any antivirus APK size would be around a few MBs. Also, the source of the file in this case is an unsecure site, which would not have been the case for an authentic app that is published either in their website that redirects to an authentic app store. 

Safety Recommendations: 

  1. Keep your antivirus software updated to detect and prevent malware infections. 
  1. Keep your system and applications updated. 
  1. Use strong passwords and enable two-factor authentication during logins. 
  1. Verify the privileges and permissions requested by the app before granting access. 
  1. People concerned about the exposure of their stolen credentials in the dark web can register at AmiBreached.com to ascertain their exposure. 

MITRE ATT&CK® Techniques- for Mobile 

Tactic Technique ID Technique Name 
Defense Evasion T1418 T1406 1. Application Discovery 2. Obfuscated Files or Information  
Credential access T1412 1. Capture SMSes  
Discovery T1421 
T1430 T1418 T1426 T1424 
1. System Network Connections Discovery 2. Location Tracking 3. Application Discovery 4. System Information Discovery 5. Process Discovery 
Collection T1432 
T1433 T1430 T1429 T1507 T1412  
1. Access Contact List 2. Access Call Log 3. Location Tracking 4. Capture Audio 5. Network Information Discovery 6. Capture SMSes  
Command and Control T1573 T1071 T1571 1. Encrypted Channel 2. Application Layer Protocol 3. Non-Standard Port 
Impact T1447 1.Delete Device Data 

Indicators of Compromise (IoCs): 

IoC  IOC Type  
34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb SHA256   
android.accessibilityservice.AccessibilityService Intent by Action 
hxxp://darkweb.bitcoingen.store//o1o/a16[.]php Interesting URL 
hxxp://darkweb.bitcoingen[.]store/ Interesting URL 
172.217.15[.]106 IP address 
64.233.165[.]95 IP address 
173.194.222[.]95 IP address 
data/data/wocwvy.czyxoxmbauu.slsa/shared_prefs/set.xml File path dropped 

About Cyble: 

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.   

Scroll to Top