Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus
Anubis is an Android banking Trojan created and advertised by a threat actor with the nickname “maza-in”. This malware family has been conducting well-known overlay attacks by combining advanced features such as the capability to stream screens, record sounds, browse files remotely, keylogging abilities, and the capability to function as a network proxy. These features make it an effective banking malware and a potential tool for spying.
Generally, this malware operates by tricking unsuspecting victims into submitting confidential and sensitive information such as online banking credentials, banking security codes, and Credit Card details. Being a banking Trojan does not mean that the Anubis malware variant will masquerade as a banking app; in most cases, it is disguised as a third-party app. Some of the disguises used by Anubis are fake mobile games, software updates, post/mail apps, flash-player apps, utility apps, fake browsers and even social-network and communication apps.
The list of malware features of Anubis is shown below:
- Overlaying: Static (hardcoded in bot)
- Overlaying: Dynamic (C2 based)
- Keylogging
- Contact list collection
- Screen streaming
- Sound recording
- SMS harvesting: SMS forwarding
- SMS blocking
- SMS sending
- Files/pictures collection
- Calls: USSD request making
- Ransomware: Cryptolocker
- Remote actions: Data-wiping
- Remote actions: Back-connect proxy
- Notifications: Push notifications
- C2 Resilience: Twitter/Telegram C2 update channels
Some of the common delivery techniques that are used by Anubis malware are:
- Google Play campaigns:
This includes Bypassing Google Play security mechanisms and spreading the Trojan using the official app store. - Spam campaigns:
This uses SMS or emails with a request to install or update some legitimate application that links to the malware. - Web redirection:
Using advertisement on websites, hacked sites, traffic exchanges lures the victim to a fake landing page containing a malware app.
In a recent tweet, a security engineer shared information about a fake antivirus android app camouflaged as a well-known antivirus and available from an unsecured web source. When users access the unsecure link available from the search engine for download, it navigates them to an Index page with the file content named as “Avast Antivirus ULTIMATE 2021.apk”, and on selecting it, users can download the APK file.
On scanning the downloaded file through VirusTotal, it turned out to be a variant of the Banking Trojan Anubis detected by multiple antivirus signatures, as shown in Figure 1.
Figure 1 VirusTotal Detections of the App
For further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the application using the digest from the VirusTotal result.
Figure 2 Information available in the Cyble Threat Intelligence Platform
Technical Analysis:
Digest used for our analysis: 34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb
Package Name: wocwvy.czyxoxmbauu.slsa
Main Activity: wocwvy.czyxoxmbauu.slsa.ncec.myvbo
Upon performing static analysis on the above app, the malware was found to be more like the Cerberus Banking Trojan malware, which also steals victim data to access their bank accounts. The permissions used by this malware are listed below in the Fig. 3
Figure 3 Permissions requested by the app
After opening the application, it requests users to enable the accessibility service from the settings to enable full access to the app. After that, it lures victims into changing the Accessibility settings on their phones, forbidding them to uninstall the app. Also, through this service, the app executes screen taps and other commands without the user’s knowledge.
Figure 4 Accessibility service needs to be enabled for the app
Some of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are listed below:
Permissions
- android.permission.SYSTEM_ALERT_WINDOW
- android.permission.GET_TASKS
- android.permission.RECEIVE_SMS
- android.permission.INTERNET
- android.permission.READ_SMS
- android.permission.PACKAGE_USAGE_STATS
Services:
- wocwvy.czyxoxmbauu.slsa.lmimy
- wocwvy.czyxoxmbauu.slsa.wfveenegvz
- wocwvy.czyxoxmbauu.slsa.frvvkgp
- wocwvy.czyxoxmbauu.slsa.ukhakhcgifofl
- wocwvy.czyxoxmbauu.slsa.jtfxlnc
- wocwvy.czyxoxmbauu.slsa.blkzyyyfc
- wocwvy.czyxoxmbauu.slsa.whemsbk
- wocwvy.czyxoxmbauu.slsa.nepgaqmyfrhw
- wocwvy.czyxoxmbauu.slsa.clgqtzqdh
- wocwvy.czyxoxmbauu.slsa.usbvhkriufnc
- wocwvy.czyxoxmbauu.slsa.egxltnv
- wocwvy.czyxoxmbauu.slsa.kldqwysgkfcrmq
- wocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.jkeggfql
- wocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.nvsdtnxkzjgw
- wocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.brtltydqhiuqbb
- wocwvy.czyxoxmbauu.slsa.xelytgswelv
- wocwvy.czyxoxmbauu.slsa.mvqkjokaxfrpf
- wocwvy.czyxoxmbauu.slsa.wahiuolww
- wocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.cpysnikhf
- wocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.wifu
- wocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.dshd
- wocwvy.czyxoxmbauu.slsa.kuv.sfswwunyakpjr
- wocwvy.czyxoxmbauu.slsa.ttiegryczsx
- wocwvy.czyxoxmbauu.slsa.blyvffs
Receivers:
- wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.cmtstflxlxb
- wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.qpgopfninoaazln
- wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hypihteeavv
- wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hwfe
Intent Filters by Action:
- android.intent.action.RESPOND_VIA_MESSAGE
- android.accessibilityservice.AccessibilityService
- android.intent.action.MAIN
- android.intent.action.SEND
- android.intent.action.SENDTO
- android.provider.Telephony.WAP_PUSH_DELIVER
- android.provider.Telephony.SMS_DELIVER
- android.intent.action.PACKAGE_ADDED
- android.intent.action.PACKAGE_REMOVED
- android.provider.Telephony.SMS_RECEIVED
- android.net.conn.CONNECTIVITY_CHANGE
- android.net.wifi.WIFI_STATE_CHANGED
Using the above permissions granted by users, the following activities are performed in the users’ devices:
- The app tries to get the accessibility permission for UI automation
Figure 5 Starts Activity based on Accessibility permission
- The malware makes the device ignore battery Optimization
Figure 6 Checks for package and ignores Battery Optimization
- It will disable the administrator user access through the device policy manager
Figure 7 Removing Active Admin User
- The malware runs a query to get the list of currently running apps along with the most recent running apps
Figure 8 Stores the list of recent running apps
- The malware protects itself from being removed or uninstalled and stays hidden from the application launcher
Figure 9 Hides from the application launcher through package manager
- Monitors incoming text messages and creates data through PDU
Figure 10 Gets Inflow of text messages
- Gets phone contact information from the victim’s device
Figure 11 Queries the Phone contacts
All the data collected from the devices are then sent to the C2 link, which seems to be encrypted in this app, and the encryption technique used is AES along with the key, as shown below in the Fig. 12.lo
Figure 12 Encryption Technique used
Following are the ways in which the above encryption techniques are used in multiple classes and methods, as shown in Fig. 13.
Figure 13 Uses of the Encryption Technique
On decrypting the above string and on performing the Dynamic analysis on the same, we found that the collected data is sent to the well-known C2 link of the Anubis variant.
C2 link: hxxp://darkweb[.]bitcoingen[.]store//o1o/a16[.]php
Under normal circumstances, before downloading, users can identify whether an APK is authentic or fake based on the following criteria:
- Source of the file (Secure/Not secure) is a good indicator of whether the app is genuine or fake. For instance, before downloading an application from an unkown source such as a web URL, it is important to check if the source is secure.
- Size of the app. For example, the size of a fake app is less when compared with an authentic one.
- Spelling errors or Icon mismatches can also help distinguish fake apps from genuine ones.
By these parameters, the APK downloaded from the provided URL was identified as a fake app. In addition, the size of the downloaded app is around 500 KB, while commonly, any antivirus APK size would be around a few MBs. Also, the source of the file in this case is an unsecure site, which would not have been the case for an authentic app that is published either in their website that redirects to an authentic app store.
Safety Recommendations:
- Keep your antivirus software updated to detect and prevent malware infections.
- Keep your system and applications updated.
- Use strong passwords and enable two-factor authentication during logins.
- Verify the privileges and permissions requested by the app before granting access.
- People concerned about the exposure of their stolen credentials in the dark web can register at AmiBreached.com to ascertain their exposure.
MITRE ATT&CK® Techniques- for Mobile
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1418 T1406 | 1. Application Discovery 2. Obfuscated Files or Information |
| Credential access | T1412 | 1. Capture SMSes |
| Discovery | T1421 T1430 T1418 T1426 T1424 | 1. System Network Connections Discovery 2. Location Tracking 3. Application Discovery 4. System Information Discovery 5. Process Discovery |
| Collection | T1432 T1433 T1430 T1429 T1507 T1412 | 1. Access Contact List 2. Access Call Log 3. Location Tracking 4. Capture Audio 5. Network Information Discovery 6. Capture SMSes |
| Command and Control | T1573 T1071 T1571 | 1. Encrypted Channel 2. Application Layer Protocol 3. Non-Standard Port |
| Impact | T1447 | 1.Delete Device Data |
Indicators of Compromise (IoCs):
| IoC | IOC Type |
| 34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb | SHA256 |
| android.accessibilityservice.AccessibilityService | Intent by Action |
| hxxp://darkweb.bitcoingen.store//o1o/a16[.]php | Interesting URL |
| hxxp://darkweb.bitcoingen[.]store/ | Interesting URL |
| 172.217.15[.]106 | IP address |
| 64.233.165[.]95 | IP address |
| 173.194.222[.]95 | IP address |
| data/data/wocwvy.czyxoxmbauu.slsa/shared_prefs/set.xml | File path dropped |
About Cyble:
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.