Anubis malware resurfaces targeting crypto wallets and banking apps

So far, 394 malicious apps have been identified that are spreading Anubis malware to steal financial and personal data from unsuspecting Android users.

Security researchers at Lookout security firm have identified a notorious new mobile malware campaign disguised as an official Orange Telecom account management app from Orange S.A, a leading telecommunication service provider in France. Reportedly, the malicious app delivers a modified variant of Anubis banking malware.

About Anubis Malware

Anubis was first identified in 2016 but now the malware has resurfaced and targeting clients of around 400 financial institutions, virtual payment platforms, and cryptocurrency wallets. These include Chase, Bank of America, Wells Fargo, and Capital One customers, etc.

Anubis is a dangerous banking trojan. It can collect sensitive financial data, steal victims’ SMS messages, exfiltrate files and log keys, extract GPS data, monitor screen display, and exploit other accessibility services enabled on the device.

Previously, the Anubis was found stealing photos, videos, and other sensitive content from Android devices. The same malware was also identified in COVID-19 related scams when crooks pushed fake govt-issued COVID-19 contact tracing apps which in reality were spreading Anubis and SpyNote malware.

How does the Attack Works?

When this fake app is downloaded, the embedded malware steals the victim’s personal data to hack the device. The malware creates a connection with the C2 server.

It then downloads another app to commence the SOCKSS proxy, letting the attacker enforce authentication for clients connected with their server and hiding communications between the C2 and the client. After the APK is retrieved and decrypted, it is saved as “‘FR.apk’ in ‘/data/data/fr.orange.serviceapp/app_apk.’”

Immediately, a scam message appears, requesting the user to disable Google Play Protect and allowing the attacker full control of the device.

Objective Behind the Campaign

Researchers noted that the primary goal of Anubis is to collect “significant data about the victim from their mobile device for financial gain.” It achieves this goal by intercepting SMS messages, file exfiltration, keylogging, and GPS data collection.

The C2 server of Anubis malware masquerades as a cryptocurrency exchange website.

The malicious version of the app was submitted to the Google Play Store this year in July. However, researchers believe that this is just the testing phase for a lethal new campaign that will soon surface.

“We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server. We expect more heavily obfuscated distributions will be submitted in the future,” Lookout’s report read.

The researchers identified around 394 unique apps. These apps were targeted by the malicious fr.orange.serviceapp, and the Anubis client was traced to a yet underdeveloped crypto trading platform.

“While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting U.S. banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust, and Wells Fargo,” Lookout’s threat researcher Kristina Balaam said.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.