Two related servers were recently found hosting 17,490 samples of the same Android malware, Trend Micro’s security researchers say.
Dubbed Anubis, the mobile malware has received numerous updates since first observed last year, evolving from a cyber-espionage tool to banking malware. Both information theft and ransomware-like routines were found in it.
In mid-January of 2019, Anubis was seen leveraging motion-based sensors for sandbox evasion and used overlays to steal sensitive user information.
The 17,490 Anubis samples uncovered contain two labels, namely “Operator Update” and “Google Services,” likely used as social engineering lures to trick users into downloading an Anubis-embedded app.
Samples containing the Operator Update label were found to pack information-stealing capabilities similar to those of the malware’s previous iterations, Trend Micro reveals.
The Trojan can take screenshots, control the device remotely via virtual network computing (VNC), record audio, send/receive/delete SMS, enable or configure device administration settings, get the device’s running tasks, steal contact list, open a specified URL, disable Google Play Protect, lock the device’s screen, start or initiate USSD, encrypt files, find files, get the device’s location, and retrieve remote control commands from social media channels like Twitter and Telegram.
The malware can hijack a specified Activity (where an app starts its process), monitors targeted apps to overlay fake pages and steal user information or payment data, monitors notifications, and can send information strings contained in the notification to the command and control (C&C) server.
These Anubis samples have a list of 188 banking- and finance-related apps to steal user information from. Many of these apps are in Poland, Australia, Turkey, Germany, France, Italy, Spain, U.S., and India.
The Anubis variant with the Google Services label also contains information-stealing and environment-detecting capabilities.
The malware’s C&C servers are distributed across different countries, some abusing a cloud service, while others abusing an Internet data center (IDC) server. The malware operators are also using social media channels like Twitter and Google short links to send commands since 2014.
The registration date of one of the accounts suggests the attacker has probably been active for about 12 years.
“The sheer amount of samples we uncovered reflect how Anubis’ authors and operators are actively using their malware. Users should always practice security hygiene when installing apps, especially when the mobile devices are used in BYOD environments,” Trend Micro underlines.