Lookout Threat Labs researchers have discovered a distribution of the Anubis Android banking malware that is masquerading as the official account management application from Orange S.A., a leading French telecommunications company. 

Leveraging a variation of the infamous banking trojan, Lookout Threat Labs found the attackers are targeting customers of nearly 400 financial institutions, cryptocurrency wallets and virtual payment platforms. As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain. This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection and abuse of the device’s accessibility services.

According to Lookout threat researchers, the latest distribution of Anubis boasts an extensive set of capabilities that includes exfiltrating sensitive data from the victim’s Android device back to the C2 and performing overlay attacks. It also has the ability to terminate malicious functionalities and remove the malware from the device when needed. Additional capabilities include:

  • Recording screen activity and sound from the microphone 
  • Implementing a SOCKS5 proxy for covert communication and package delivery
  • Capturing screenshots
  • Sending mass SMS messages from the device to specified recipients
  • Retrieving contacts stored on the device
  • Sending, reading, deleting and blocking notifications for SMS messages received by the device
  • Scanning the device for files of interest to exfiltrate
  • Locking the device screen and displaying a persistent ransom note
  • Submitting USSD code requests to query bank balances
  • Capturing GPS data and pedometer statistics
  • Implementing a keylogger to steal credentials
  • Monitoring active apps to mimic and perform overlay attacks
  • Stopping malicious functionality and removing the malware from the device

As a readily available commodity banking malware, Lookout researchers expect Anubis to continue to be iterated on. The threat actor behind the campaign also appears to be developing its infrastructure to release future versions of the malware.

For complete threat findings and how the malware attacks, please visit https://www.lookout.com/resources/blog