{
	"id": "1cd4a150-9ddd-4608-b005-d440bca1ca8d",
	"created_at": "2026-04-06T00:17:09.298658Z",
	"updated_at": "2026-04-10T03:20:39.987558Z",
	"deleted_at": null,
	"sha1_hash": "01b45cc5137f6934c02bfa7c0182507a5a8e2cbe",
	"title": "Android Malware Intercepts SMS 2FA: We have the Logs!",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 622311,
	"plain_text": "Android Malware Intercepts SMS 2FA: We have the Logs!\r\nBy Gary Warner, UAB\r\nPublished: 2018-09-10 · Archived: 2026-04-05 14:49:52 UTC\r\nHome » Cybersecurity » Malware » Android Malware Intercepts SMS 2FA: We have the Logs!\r\nA couple years ago I was doing some phishing investigations training at the Police School in Santiago, Chile.  One\r\nmodule in my training was called “Logs Don’t Lie” which pointed out that in most cases we have everything we\r\nneed to prioritize a phishing response just by looking at the log files, either on the compromised phishing server,\r\nor in the Financial Institutions own logs.\r\nMalware C2 servers are another great place to apply the rule “Logs Don’t Lie.”  Most security researchers realize\r\nthat there is a great cloud of fellow researchers on Twitter sharing little tips and glimpses of their investigations. \r\n@LukasStefanko and @nullcookies and I have been looking at a C2 server for a piece of Android malware.  And\r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 1 of 11\n\nthe Logs are AMAZINGLY helpful at understanding just what kind of damage such a trojan can do!   \r\n(Sidenote:  @nullcookies is a monster for finding fresh and interesting phish (and often related tools), while\r\n@LukasStefanko is an awesome malware analyst for ESET, specializing in Android-based malware.  You should\r\nfollow both on Twitter if you care about such things.  Thanks to them both for the pointer that leads to what\r\nfollows.)\r\nIn this case, the malware is believed to be called “Anubis II” and likely uses the “Builder” that is depicted in this\r\nYouTube video, titled “Builder Android Bot Anubis 2“\r\nLauncher the APK Builder “Android Botnet Anubis II” \r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 2 of 11\n\nMalware actor chooses from his list of banking targets\r\nIn the comments section of the video, someone has shared a screen shot of the botmaster’s control panel.  In this\r\ncase it is demonstrating that 619 Android phones can be controlled from the botnet:\r\nPhones that can be controlled from Anubis II control panel\r\nIn the particular instance referred to by Lukas and NullCookies, the malware seems to have been active primarily\r\nin June of 2018.   The server hosting the Anubis II panel has a list of banks that it can present.\r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 3 of 11\n\nThe targets which have custom web inject (or phone inject) content include:\r\n7 Austrian banks\r\n18 Australian banks\r\n5 Canadian banks\r\n6 Czech banks\r\n11 German banks\r\n11 Spanish banks\r\n11 French banks\r\n8 Hong Kong banks\r\n11 Indian banks\r\n6 Japanese banks\r\n1 Kenyan bank\r\n4 New Zealand banks\r\n32 Polish banks\r\n4 Romanian banks\r\n9 Turkish banks\r\n10 UK banks (Bank of Scotland, Barclays, CSGCSDNMB, Halifax, HSBC, Natwest, Royal Bank of\r\nScotland, Santander, TSB, Ulster)\r\n10 US banks (Bank of America, Capital One, Chase, Fifth Third, NetTeller, Skrill, SunTrust, USAA, US\r\nBank, Wells Fargo Mobile)\r\nFake Android Login Pages for Banks \r\nWhile each of the 190 sites has a fake login page available, we thought we would show a sampling from banks\r\naround the world . . . \r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 4 of 11\n\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 5 of 11\n\nThere are also several Crypto Currency organizations listed:\r\nblockchaine\r\ncoinbase\r\nlocalbitcoin\r\nunocoin\r\nAs well as some Online Payment, Email, and Social Media sites:\r\neBay\r\nFacebook\r\nGmail\r\nPayPal\r\nZebPay\r\nEach bank on the list has the equivalent of a phishing page that can be presented if the owner of the android phone\r\nattempts to log in to the given bank.\r\n Some of them have silly typographical errors that will hopefully reduce success, such as this Wells Fargo content,\r\ninviting the phone owner to “Sing In” to the bank.  Perhaps there is a Wells Fargo Choir?  Hopefully that will\r\ncause victims to NOT fall for this particular malware!\r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 6 of 11\n\nThe Wells Fargo Choir?  Sing On!\r\nThe SMS Intercepts\r\nOne of the main benefits of having access to the server was to see so many examples of successful SMS message\r\nintercepts!  At the time of the server dump, this one contained 32,900+ unique “keylog” entries and 52,000+\r\nlogged SMS messages from at least 47 unique devices.\r\nHere’s an example showing a Bank Two Factor Authentication request being forward to the criminals:\r\nText: Bank of Redacted: 819881 is your authorization code which expires in 10 minutes. If you didn’t request the\r\ncode, call 1.800.xxx.xxxx for assistance.\r\nKeylogging was also enabled, allowing the criminal to see when a bank app was being used:\r\n06/14/2018, 09:07:34 EDT|(FOCUSED)|[From:, REDACTED BANK, Account Number:, ******6680, Date:,\r\nMay 30, 2018 10:10:42 AM EDT, Status:, Canceled, Amount:, $100.00, Type:, Deposit, Transfer ID:, 25098675]\r\nIn this example, an online payment company is sharing a message:\r\n06/29/2018, 15:28:46 EDT|(CLICKED)|[Friendly reminderThis is Mr. XXXXXXX from REDACTED. This is a\r\nfriendly reminder that you have a payment due today by 6pm If you have any questions or need to make a\r\npayment  via phone call 804-999-9999 or we have a new payment processing system that allows , for your\r\nconvenience, to simply text in the last 4 digits of a card you’ve previously used and the security code and we’re\r\nable to process your payment.  Feel free to call  REDACTED with any questions at 804-xxx-xxxx]\r\nHundreds of Gmail verification codes were found in the logs:\r\n06/14/2018, 00:19:33 EDT|(FOCUSED)|[G-473953 is your Google verification code., 1 min ago]\r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 7 of 11\n\nQuite a few Uber codes were also found in the logs:\r\nText: [#] 9299 is your Uber code. qlRnn4A1sbt\r\nPaypal, Quickbooks, LinkedIn, Facebook, Stash, and Stripe all had 2FA codes make appearances in the logs:\r\nText: FREE PayPal: Your security code is: 321842. Your code expires in 10 minutes. Please don’t reply.\r\nText: [Your QuickBooks Self-Employed Code is 952708, 1 min ago]\r\nText: 383626 is your Facebook password reset code or reset your password here:\r\nhttps://fb.com/l/9wBUVuGxxxx5zC\r\nText: Your LinkedIn verification code is 967308.\r\nText: 103-667 is your Stripe verification code to use your payment info with Theresa.\r\nText: Your Stash verification code is 912037. Happy Stashing!\r\nText: Cash App: 157-578 is the sign in code you requested.\r\nText: Your verification code for GotHookup is: 7074\r\nIn a directory called “/numers/” there were also examples of address book dumps from phone contacts.  The small\r\nnumber of these seem to indicate this would be a “triggered” request, where the botnet operator would have to\r\nrequest the address book.  In the example we found, with seven area code (404) numbers, four (770) numbers and\r\nfour (678) numbers, it is likely an Atlanta, Georgia based victim.\r\nThe Keylogging feature also seems to be something that is turned on or off by request of the botnet operators. \r\nThere were far fewer devices for which keylogs were found.   Example keylog entries looked like this:\r\nA telephone prompt looked like this:\r\n06/15/2018, 14:38:55 EDT|(CLICKED)|[Call management, •, 10m, 4 missed calls, Ashley Brown (3),\r\nMom]\r\n06/15/2018, 14:38:59 EDT|(CLICKED)|[Call Ashley Big Cousin, Quick contact for Ashley Brown]\r\n06/15/2018, 14:39:01 EDT|(CLICKED)|[1 804-999-9999, Mobile, Call Ashley Brown]\r\nResponding to a message looked like this:\r\n06/15/2018, 16:02:34 EDT|(CLICKED)|[Messaging, •, now, Expand button, (804) 999-9999 , Hey Terry\r\ncan you send the address, REPLY]\r\n06/15/2018, 16:02:37 EDT|(FOCUSED)|[Aa]\r\n06/15/2018, 16:02:46 EDT|(CLICKED)|[Copy, Forward, Delete]\r\n06/15/2018, 16:02:50 EDT|(FOCUSED)|[]\r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 8 of 11\n\n06/15/2018, 16:02:54 EDT|(CLICKED)|[Messaging]\r\n06/15/2018, 16:02:57 EDT|(CLICKED)|[Enter message]\r\n06/15/2018, 16:05:11 EDT|(CLICKED)|[Answer]\r\n06/15/2018, 16:05:29 EDT|(CLICKED)|[]\r\n06/15/2018, 16:10:50 EDT|(FOCUSED)|[]\r\n06/15/2018, 16:10:52 EDT|(CLICKED)|[Enter]\r\n06/15/2018, 16:11:01 EDT|(FOCUSED)|[2007 Their Address Ct  North CityTheyTyped OK 11111]\r\n06/15/2018, 16:11:03 EDT|(FOCUSED)|[]\r\nA YouTube session looked like this:\r\n06/27/2018, 15:23:36 EDT|(CLICKED)|[YouTube]\r\n06/27/2018, 15:23:46 EDT|(CLICKED)|[Pause video]\r\n06/27/2018, 15:41:19 EDT|(FOCUSED)|[14:46, Go to channel, FINDING OUT THE GENDER!!!, Menu,\r\nThe Rush Fam · 26K views4 hours ago, 6:12, Go to channel, TRY NOT TO CRY CHALLENGE REACTION\r\nWITH KID (SHE ACTUALLY CRIED), Menu, CJ SO COOL · 2.5M views · 1 year ago, SUBSCRIBED]\r\n06/27/2018, 15:46:38 EDT|(FOCUSED)|[]\r\n06/27/2018, 15:46:41 EDT|(CLICKED)|[Enter]\r\n06/27/2018, 15:46:53 EDT|(CLICKED)|[Play video]\r\n06/27/2018, 15:48:06 EDT|(CLICKED)|[ · 0:11]\r\n06/27/2018, 15:48:09 EDT|(CLICKED)|[ · 0:09]\r\n06/27/2018, 15:48:10 EDT|(CLICKED)|[ · 0:08]\r\n06/27/2018, 15:54:30 EDT|(CLICKED)|[Suggested: “BREAKING UP IN FRONT OF COMPANY!!”\r\nPRANK ON PANTON SQUAD!!!]\r\nDistribution \r\nFrom looking for this malware in various collections, such as Virus Total Intelligence, it seems that the malware is\r\nfairly common.  Many new versions of the malware show up in their collection every day.   The most common\r\npoint of distribution seems to be from the Google Play Store.\r\nA popularly reported stream of such apps was reported on by, well, just about everyone in July 2018.  Some of the\r\nheadlines included:\r\nBest graphic goes to Secure Computing Magazine:\r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 9 of 11\n\nhttps://www.scmagazine.com/\r\nA search in VirusTotal Intelligence reveals 62 new filehashes ONLY FROM TODAY (September 10, 2018) that\r\nmatch a definition name of “Anubis”.  Some of the more popular names for the trojan on VirusTotal include:\r\nDrWeb:  Android.BankBot.1679\r\nIkarus: Trojan-Banker.AndroidOS.Anubis\r\nKaspersky: HEUR:Trojan-Dropper.AndroidOS.Hqwar.bbSophos: Andr/BankSpy-AH \r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 10 of 11\n\nKaspersky: Phantom Menace\r\nAs I mentioned Lukas at the beginning of this blog, ESET has produced an amazing number of articles on Android\r\nbanking trojans lurking in the Google Play store.  Here are a few of them:\r\nSeptember 10, 2018September 10, 2018 Gary Warner, UAB android, android malware, Anubis, Anubis II, APK\r\nmalware, banking trojan, Google Play, Phishing\r\nSource: https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nhttps://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ "
	],
	"report_names": [
		" "
	],
	"threat_actors": [],
	"ts_created_at": 1775434629,
	"ts_updated_at": 1775791239,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/01b45cc5137f6934c02bfa7c0182507a5a8e2cbe.pdf",
		"text": "https://archive.orkl.eu/01b45cc5137f6934c02bfa7c0182507a5a8e2cbe.txt",
		"img": "https://archive.orkl.eu/01b45cc5137f6934c02bfa7c0182507a5a8e2cbe.jpg"
	}
}