The Anubis Android banking malware is now targeting the customers of nearly 400 financial institutions in a new malware campaign.
The threat actors target financial institutions, cryptocurrency wallets, and virtual payment platforms by impersonating an Orange S.A. Android app that attempts to steal login credentials.
The report comes from researchers at Lookout, who note that the malicious campaign is still in the testing and optimization phase.
An old but potent threat
Anubis first appeared on Russian hacking forums in 2016, shared as an open-source banking trojan with instructions on implementing its client and components.
In the years that followed, Anubis received further development work, and its newer code continued to be openly shared between actors.
In 2019, the malware added what appeared to be an almost functional ransomware module and found its way into Google's Play Store through fake apps.
In 2020, Anubis returned through large-scale phishing campaigns, targeting 250 shopping and banking apps.
Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.
In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:
Recording screen activity and sound from the microphone
Implementing a SOCKS5 proxy for covert communication and package delivery
Capturing screenshots
Sending mass SMS messages from the device to specified recipients
Retrieving contacts stored on the device
Sending, reading, deleting, and blocking notifications for SMS messages received by the device
Scanning the device for files of interest to exfiltrate
Locking the device screen and displaying a persistent ransom note
Submitting USSD code requests to query bank balances
Capturing GPS data and pedometer statistics
Implementing a keylogger to steal credentials
Monitoring active apps to mimic and perform overlay attacks
Stopping malicious functionality and removing the malware from the device
Like previous versions, the newest Anubis detects if the compromised device has Google Play Protected enabled and pushes a fake system alert to trick the user into disabling it.
This deactivation gives the malware full access to the device, and the freedom to send and receive data from the C2 without any interference.
Distribution mechanisms
The actors attempted to submit an "fr.orange.serviceapp" package to the Google Play store in July 2021, but the app was rejected.
Lookout believes this was just an attempt to test Google's anti-malware detectors, as threat actors only partially implemented the obfuscation scheme.
This apps optimization and obfuscation is ongoing, concerning both the C2 communications and the app's code.
The distribution of the fake Orange app is currently taking place via malicious websites, direct messages on social media, smishing, and forum posts.
Lookout's threat researcher Kristina Balaam told Bleeping Computer that this campaign isn't targeting only French customers of Orange S.A., but American users as well.
While we can’t be certain whether the app has been used in a successful attack, we do know they are targeting US banks including Bank of America, U.S. Bank, Capital One, Chase, SunTrust, and Wells Fargo.
The actor behind recent campaign
There is no concrete information on the actors who currently distribute Anubis, as they were careful enough to hide their C2 infrastructure registration trace.
The actor uses Cloudflare to redirect all network traffic through SSL, while the C2 masquerades as a cryptocurrency trading website using the domain "hhtps://quickbitrade[.]com".
The communications between Anubis and the C2 aren’t properly secured yet, but the admin panel area is beyond reach.
Considering that Anubis code circulates numerous underground hacking forums, the number of hackers using it is large, and making connections with threat actor online personas is complicated.
Customers of Orange S.A. are advised to only source the app from the telco’s official website or the Google Play store.
Additionally, pay attention to the requested permissions before granting your approval whenever you download and install an app.
