Anubis campaign targets hundred of financial apps

Image by suttipunfpik via Freepik

Lookout Threat Labs researchers have discovered a distribution of the Anubis Android banking malware that is masquerading as the official account management application from Orange S.A., a leading French telecommunications company.

Leveraging a variation of the infamous banking trojan, Lookout Threat Labs found the attackers are targeting customers of nearly 400 financial institutions, cryptocurrency wallets and virtual payment platforms. As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain. This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection and abuse of the device’s accessibility services.

According to Lookout threat researchers, the latest distribution of Anubis boasts an extensive set of capabilities that includes exfiltrating sensitive data from the victim’s Android device back to the C2 and performing overlay attacks. It also has the ability to terminate malicious functionalities and remove the malware from the device when needed. Additional capabilities include:

Recording screen activity and sound from the microphone
Implementing a SOCKS5 proxy for covert communication and package delivery
Capturing screenshots
Sending mass SMS messages from the device to specified recipients
Retrieving contacts stored on the device
Sending, reading, deleting and blocking notifications for SMS messages received by the device
Scanning the device for files of interest to exfiltrate
Locking the device screen and displaying a persistent ransom note
Submitting USSD code requests to query bank balances
Capturing GPS data and pedometer statistics
Implementing a keylogger to steal credentials
Monitoring active apps to mimic and perform overlay attacks
Stopping malicious functionality and removing the malware from the device

As a readily available commodity banking malware, Lookout researchers expect Anubis to continue to be iterated on. The threat actor behind the campaign also appears to be developing its infrastructure to release future versions of the malware.

For complete threat findings and how the malware attacks, please visit https://www.lookout.com/resources/blog

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.