Cybercriminals organized a phishing campaign aimed at users of Android devices, during which they infect smartphones and tablets with the Anubis banking trojan.
The malware is able to steal financial information from more than 250 banking and shopping apps.
The campaign seeks to deliver Anubis, a particularly nasty piece of malware that was originally used for cyber espionage and retooled as a banking trojan. Anubis can completely hijack an Android mobile device, steal data, record phone calls, and even hold the device to ransom by encrypting the victim’s personal files”, — write Cofense experts, which discovered the threat.
Attackers send victims phishing emails with a built-in link that downloads an APK file masked as an invoice. When an email link opened on an Android device, an APK file is downloaded.
After opening the file, the user supposedly is invited to enable “Google Play Protect”, but instead the user gives the application all the necessary permissions, while disabling the security service.
Once on an Android device, Anubis begins to collect information about installed applications and compares the results with a list of target programs. Anubis mainly is focused on banking and financial applications, but is also looking for popular shopping programs such as eBay or Amazon.
As soon as Anubis discovers the necessary program, it replaces the original authorization window with a fake one in order to steal user credentials.
During the malware analysis, Cofense experts found that the banking trojan has various functions, including capturing screenshots, disabling and changing administration settings, disabling the Google Play Protect built-in protection, recording sound, making calls and sending SMS messages, accessing contacts in the address book, receiving commands from operators via Telegram and Twitter, controlling the device through the VNC desktop remote access system, etc.
Malicious software also contains a keylogger that can intercept keystrokes from any application installed on a compromised Android device. However, operators from a C&C server must first activate this module using a command.
A closer look at the code reveals the application gathers a list of installed applications to compare the results with the list of targeted apps. The malware mainly targets banking and financial applications, but also looks for popular shopping apps such as eBay or Amazon. Once an application has been identified, Anubis overlays the original application with a fake login page to capture the user’s credentials”, — write Cofense researchers.
Anubis can also encrypt files in internal storage and on external drives using a special ransomware module, adding the. AnubisCrypt extension to encrypted files and sending them to a C&C server.
Attacks on Android devices are becoming increasingly popular among cybercriminals, as smartphone usually contains all the important sensitive user information. For example, we recently wrote that Android.Xiny Trojans still endanger 25% of users and it is almost impossible to remove them.
Users who set up their Android mobile device to receive work-related emails and allowed installation of unsigned applications are at the greatest risk of compromise. APK files will not open in an environment other than an Android device. Due to the increasing use of Android devices in the business environment, it is important to protect yourself from these threats, ensuring that the devices received the latest updates.
