# Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus **[cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/](https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/)** **Mobile Malware App Anubis Strikes Again, Continues to LureUsers Disguised as a Fake Antivirus** May 2, 2021 Anubis is an Android banking Trojan created and advertised by a threat actor with the nickname “maza-in”. This malware family has been conducting well-known overlay attacks by combining advanced features such as the capability to stream screens, record sounds, browse files remotely, keylogging abilities, and the capability to function as a network proxy. These features make it an effective banking malware and a potential tool for spying. Generally, this malware operates by tricking unsuspecting victims into submitting confidential and sensitive information such as online banking credentials, banking security codes, and Credit Card details. Being a banking Trojan does not mean that the Anubis malware variant will masquerade as a banking app; in most cases, it is disguised as a third-party app. Some of the disguises used by Anubis are fake mobile games, software updates, post/mail apps, flash-player apps, utility apps, fake browsers and even social-network and communication apps. The list of malware features of Anubis is shown below: Overlaying: Static (hardcoded in bot) Overlaying: Dynamic (C2 based) Keylogging ----- Contact list collection Screen streaming Sound recording SMS harvesting: SMS forwarding SMS blocking SMS sending Files/pictures collection Calls: USSD request making Ransomware: Cryptolocker Remote actions: Data-wiping Remote actions: Back-connect proxy Notifications: Push notifications C2 Resilience: Twitter/Telegram C2 update channels Some of the common delivery techniques that are used by Anubis malware are: **Google Play campaigns:** This includes Bypassing Google Play security mechanisms and spreading the Trojan using the official app store. **Spam campaigns:** This uses SMS or emails with a request to install or update some legitimate application that links to the malware. **Web redirection:** Using advertisement on websites, hacked sites, traffic exchanges lures the victim to a fake landing page containing a malware app. In a recent [tweet, a security engineer shared information about a fake antivirus android app camouflaged as a well-](https://twitter.com/ReBensk/status/1387306767202209792) known antivirus and available from an unsecured web source. When users access the unsecure link available from the search engine for download, it navigates them to an Index page with the file content named as “Avast Antivirus ULTIMATE 2021.apk”, and on selecting it, users can download the APK file. On scanning the downloaded file through VirusTotal, it turned out to be a variant of the Banking Trojan Anubis detected by multiple antivirus signatures, as shown in Figure 1. ----- _Figure 1VirusTotal Detections of the App_ For further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the [application using the digest from the VirusTotal result.](https://pastebin.com/raw/syZnsZkc) _Figure 2Information available in the Cyble Threat Intelligence Platform_ **Technical Analysis:** Digest used for our analysis: 34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb **Package Name: wocwvy.czyxoxmbauu.slsa** ----- **Main Activity: wocwvy.czyxoxmbauu.slsa.ncec.myvbo** Upon performing static analysis on the above app, the malware was found to be more like the Cerberus Banking Trojan malware, which also steals victim data to access their bank accounts. The permissions used by this malware are listed below in the Fig. 3 _Figure 3Permissions requested by the app_ After opening the application, it requests users to enable the accessibility service from the settings to enable full access to the app. After that, it lures victims into changing the Accessibility settings on their phones, forbidding them to uninstall the app. Also, through this service, the app executes screen taps and other commands without the user’s knowledge. _Figure 4 Accessibility service needs to be enabled for the app_ ----- Some of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are listed below: **Permissions** android.permission.SYSTEM_ALERT_WINDOW android.permission.GET_TASKS android.permission.RECEIVE_SMS android.permission.INTERNET android.permission.READ_SMS android.permission.PACKAGE_USAGE_STATS **Services:** wocwvy.czyxoxmbauu.slsa.lmimy wocwvy.czyxoxmbauu.slsa.wfveenegvz wocwvy.czyxoxmbauu.slsa.frvvkgp wocwvy.czyxoxmbauu.slsa.ukhakhcgifofl wocwvy.czyxoxmbauu.slsa.jtfxlnc wocwvy.czyxoxmbauu.slsa.blkzyyyfc wocwvy.czyxoxmbauu.slsa.whemsbk wocwvy.czyxoxmbauu.slsa.nepgaqmyfrhw wocwvy.czyxoxmbauu.slsa.clgqtzqdh wocwvy.czyxoxmbauu.slsa.usbvhkriufnc wocwvy.czyxoxmbauu.slsa.egxltnv wocwvy.czyxoxmbauu.slsa.kldqwysgkfcrmq wocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.jkeggfql wocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.nvsdtnxkzjgw wocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.brtltydqhiuqbb wocwvy.czyxoxmbauu.slsa.xelytgswelv wocwvy.czyxoxmbauu.slsa.mvqkjokaxfrpf wocwvy.czyxoxmbauu.slsa.wahiuolww wocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.cpysnikhf wocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.wifu wocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.dshd wocwvy.czyxoxmbauu.slsa.kuv.sfswwunyakpjr wocwvy.czyxoxmbauu.slsa.ttiegryczsx wocwvy.czyxoxmbauu.slsa.blyvffs **Receivers:** wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.cmtstflxlxb wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.qpgopfninoaazln wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hypihteeavv wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hwfe **Intent Filters by Action:** android.intent.action.RESPOND_VIA_MESSAGE android.accessibilityservice.AccessibilityService android.intent.action.MAIN android.intent.action.SEND android.intent.action.SENDTO android.provider.Telephony.WAP_PUSH_DELIVER android.provider.Telephony.SMS_DELIVER android.intent.action.PACKAGE_ADDED android intent action PACKAGE REMOVED ----- android.provider.Telephony.SMS_RECEIVED android.net.conn.CONNECTIVITY_CHANGE android.net.wifi.WIFI_STATE_CHANGED Using the above permissions granted by users, the following activities are performed in the users’ devices: 1. The app tries to get the accessibility permission for UI automation _Figure 5 Starts Activity based on Accessibility permission_ 1. The malware makes the device ignore battery Optimization _Figure 6 Checks for package and ignores Battery Optimization_ 1. It will disable the administrator user access through the device policy manager ----- _Figure 7 Removing Active Admin User_ 1. The malware runs a query to get the list of currently running apps along with the most recent running apps _Figure 8 Stores the list of recent running apps_ 1. The malware protects itself from being removed or uninstalled and stays hidden from the application launcher _Figure 9 Hides from the application launcher through package manager_ 1. Monitors incoming text messages and creates data through PDU ----- _Figure 10 Gets Inflow of text messages_ 1. Gets phone contact information from the victim’s device _Figure 11 Queries the Phone contacts_ All the data collected from the devices are then sent to the C2 link, which seems to be encrypted in this app, and the encryption technique used is AES along with the key, as shown below in the Fig. 12.lo ----- _Figure 12 Encryption Technique used_ Following are the ways in which the above encryption techniques are used in multiple classes and methods, as shown in Fig. 13. _Figure 13 Uses of the Encryption Technique_ On decrypting the above string and on performing the Dynamic analysis on the same, we found that the collected data is sent to the well-known C2 link of the Anubis variant. **C2 link: hxxp://darkweb[.]bitcoingen[.]store//o1o/a16[.]php** Under normal circumstances, before downloading, users can identify whether an APK is authentic or fake based on the following criteria: 1. Source of the file (Secure/Not secure) is a good indicator of whether the app is genuine or fake. For instance, before downloading an application from an unkown source such as a web URL, it is important to check if the source is secure. 1. Size of the app. For example, the size of a fake app is less when compared with an authentic one. 1. Spelling errors or Icon mismatches can also help distinguish fake apps from genuine ones. ----- By these parameters, the APK downloaded from the provided URL was identified as a fake app. In addition, the size of the downloaded app is around 500 KB, while commonly, any antivirus APK size would be around a few MBs. Also, the source of the file in this case is an unsecure site, which would not have been the case for an authentic app that is published either in their website that redirects to an authentic app store. **Safety Recommendations:** 1. Keep your antivirus software updated to detect and prevent malware infections. 1. Keep your system and applications updated. 1. Use strong passwords and enable two-factor authentication during logins. 1. Verify the privileges and permissions requested by the app before granting access. 1. People concerned about the exposure of their stolen credentials in the dark web can register at [AmiBreached.com to ascertain their exposure.](https://amibreached.com/) **MITRE ATT&CK® Techniques- for Mobile** **Tactic** **Technique ID** **Technique Name** Defense Evasion [T1418](https://attack.mitre.org/techniques/T1418/) [T1406](https://attack.mitre.org/techniques/T1406/) 1. Application Discovery 2. Obfuscated Files or Information Credential access [T1412](https://attack.mitre.org/techniques/T1412/) 1. Capture SMSes Discovery [T1421](https://attack.mitre.org/techniques/T1421) [T1430](https://attack.mitre.org/techniques/T1430/) [T1418](https://attack.mitre.org/techniques/T1418/) [T1426](https://attack.mitre.org/techniques/T1426/) [T1424](https://attack.mitre.org/techniques/T1424) Collection [T1432](https://attack.mitre.org/techniques/T1432/) [T1433](https://attack.mitre.org/techniques/T1433/) [T1430](https://attack.mitre.org/techniques/T1430/) [T1429](https://attack.mitre.org/techniques/T1429/) [T1507](https://attack.mitre.org/techniques/T1507/) [T1412](https://attack.mitre.org/techniques/T1412/) 1. System Network Connections Discovery 2. Location Tracking 3. Application Discovery 4. System Information Discovery 5. Process Discovery 1. Access Contact List 2. Access Call Log 3. Location Tracking 4. Capture Audio 5. Network Information Discovery 6. Capture SMSes Command and Control [T1573](https://attack.mitre.org/techniques/T1573/) [T1071](https://attack.mitre.org/techniques/T1071/) [T1571](https://attack.mitre.org/techniques/T1571/) 1. Encrypted Channel 2. Application Layer Protocol 3. NonStandard Port Impact [T1447](https://attack.mitre.org/techniques/T1447/) 1.Delete Device Data **Indicators of Compromise (IoCs):** **IoC** **IOC Type** 34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb SHA256 android.accessibilityservice.AccessibilityService Intent by Action hxxp://darkweb.bitcoingen.store//o1o/a16[.]php Interesting URL hxxp://darkweb.bitcoingen[.]store/ Interesting URL 172.217.15[.]106 IP address 64.233.165[.]95 IP address 173.194.222[.]95 IP address data/data/wocwvy.czyxoxmbauu.slsa/shared_prefs/set.xml File path dropped **About Cyble:** ----- [Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from](https://cyble.io/) cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit [www.cyble.com.](http://www.cyble.io/) -----