Security researchers uncovered more than 17,000 samples of the Anubis Android malware family stored on two related servers.
While tracking the activity of the Android malware, Trend Micro came across two related servers that contained 17,490 samples of Anubis. After analyzing two of the samples, the researchers found that they requested certain URLs and parsed an XML file to download a malicious app. Anubis then used that malicious app to target 188 banking- and finance-related apps, the vast majority of which were based in Poland, Australia, Turkey and Germany.
In its analysis, Trend Micro found two labels in the samples — Operatör Güncellemesi (which means “Operator Update” in Turkish) and Google Services — and reasoned that Anubis’ handlers likely use the labels as social engineering lures. Even so, those samples bearing one label over the other had slightly different routines. For instance, the analysts needed to unpack variants with the Google Services label before they could access their information-stealing capabilities. They didn’t need to perform this step for variants that arrived with the Operatör Güncellemesi label.
Yet Another Anubis Malware Sighting
In July 2018, IBM X-Force reported that several developers had uploaded downloaders for Anubis and other Android malware to the Google Play store. The following January, Trend Micro discovered two additional apps on Google Play that contained the malware. In both instances, Anubis exploited motion sensor data as a means of evasion.
News of this campaign arrived just a few months before Bleeping Computer reported on a new variant of Anubis that contained a ransomware module.
How to Defend Against Android Malware
The most basic way to help defend against Android malware like Anubis is to follow mobile best security practices, such as keeping devices current with the latest updates and limiting app installations on corporate devices to work-related programs created by trusted developers on official marketplaces. Solutions that leverage artificial intelligence can also help increase the accuracy of manual mobile threat analysis on a large scale.