{
	"id": "3965fba8-2410-487c-aac9-8202521cda50",
	"created_at": "2026-04-06T00:12:37.335467Z",
	"updated_at": "2026-04-10T03:30:33.902999Z",
	"deleted_at": null,
	"sha1_hash": "170ba51d7037a3551f49cff78e1f2aa54a76e407",
	"title": "Mobile Malware Analysis : Tricks used in Anubis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1099605,
	"plain_text": "Mobile Malware Analysis : Tricks used in Anubis\r\nBy abc\r\nPublished: 2019-04-07 · Archived: 2026-04-05 14:09:11 UTC\r\nAnubis\r\nAnubis is my first case of complicated android malware and taught me so much about android malware. I want\r\nto share these learnings in this post. Anubis is almost one year old but its impact is much higher than older banker\r\nfamilies and campaign is still going on. Small section of anubis downloader samples found in play store in\r\nbetween July 2018 and March 2019 :\r\nAnubis is full of tricks. List of capabilities:\r\nSteal information with overlay attacks from banking apps\r\nRansomware\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 1 of 12\n\nSMS interception / Call forwarding\r\nRAT\r\nKeylogger\r\nTo spread malware generally google play store is used.\r\nDownloaders\r\nAnubis generally consist of two part. I’ll call them downloader and payload. If malware spreads over third party\r\nsites, such as flash updates it only downloads payload of anubis. But if malware spreads over google play\r\nstore, it uses downloader. Because it needs to. If payload of anubis is used it will be detected by play protect\r\neasily. So to download payload, fake applications deployed on play store. But how an application downloads and\r\ninstalls another application ?\r\nEasy, with REQUEST_INSTALL_PACKAGES permission. I think in the current state of Play Store this permission is\r\ndangerous than any other one. Because Play Protect can catch malware and rats if published on play store. Spread\r\nof malware generally comes from this permission. Users need to check if this permission is in permission list.\r\nMalware needs to lower suspicion of user after installation. Anubis downloaders use little but strong steps to make\r\nuser believe it is legitimate app. Since threat actors want to catch valuable victims, generally these fake\r\napplications will be finance related apps. Such as Currency Converter .\r\nCurreny - Gold - Euro Currency Center\r\n( notice #1 trending )\r\nBut these apps will imitate legitimate ones. Here is how earlier fake apps worked. After installing, app will\r\nremove itself from homescreen. Why ? Lets say you downloaded an app. But it didn’t worked like you wanted.\r\nWhat you do ? Go back to homescreen and delete that app right ? Now you need to go to settings. Also after\r\nopening fake app, generally app will prompt App needs to be updated and forward user to legitimate app that\r\nhave same app icon, app name and almost same developer name. So you downloaded an app, it forwarded to real\r\none and you installed it. When you go back to your homescreen, you will see only one app which is legitimate\r\none. With this, suspicion of user is lowered. But when you go to settings and list application, you will see 2 of\r\nthem.\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 2 of 12\n\nAlso ! if you try to remove malware from settings an system error(!) will show up.\r\nSystem Update ?\r\nAfter user installs downloader, app will download second stage of attack, payload. Generally name of downloaded\r\napk will be either Sistem Guncellemesi, Operator Guncellemesi, Flash Update, Yazilim Guncellemesi .\r\nNames are in Turkish, meaning System Update, Operator Update, Software Update. Icons of these apps:\r\nFlash Player\r\nUpdate\r\nUpdate Operator Update Service Update System Update\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 3 of 12\n\nWith these icons threat actors want user to believe these are legitimate apps. After downloader gets payload app\r\nfrom command and control server, prompt will shown to user. User needs to activate third-party installation\r\nand press yes to prompt screen. Then app will installed. After user opens up, app will ask for permissions then\r\nnothing will shown and app will dissepear from app list.\r\nDid you see flickering after giving Accessibility permission ? We will come to that.\r\nPersistence\r\nIn desktop malware generally malware will write itself to Startup folder to get persistence and open itself each\r\nboot. What about Android malware ? Let me introduce you to RECEIVE_BOOT_COMPLETED . With this receiver, app\r\ncan open itself in background when device is booted. Cool right ?\r\nYou cant delete me !\r\nLets say user gave all permission to application and installed it. But you want to remove app. When you go to\r\nsettings and try to delete app, you click the app icon. It says System apps cannot be deleted and you are\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 4 of 12\n\nforwarded to user to Home Screen.\r\nWhat ?\r\nApp didn’t take device admin permissions. How it can do that ? Lets find out.\r\nAccessibility\r\nFrom official android page :’Accessibility Services run in the background and receive callbacks by the system\r\nwhen AccessibilityEvents are fired. Such events denote some state transition in the user interface, for example, the\r\nfocus has changed, a button has been clicked, etc. Such a service can optionally request the capability for\r\nquerying the content of the active window‘.\r\nWhat can go wrong right ?\r\nIt can track user activities and have ability to query certain things such as message boxes. Each accessibility event\r\nhave source component that defines which application triggered current event. There are different event types\r\nanubis use :\r\nTYPE_VIEW_CLICKED\r\nTYPE_VIEW_FOCUSED\r\nTYPE_VIEW_TEXT_CHANGED\r\nTYPE_WINDOW_STATE_CHANGED\r\nTo see what all Accessibility Event types are take a look at : AccessibilityEvent\r\nAnubis tracks all accessibility events and checks event types. So if you open new app window state will change\r\nand event will trigger. Event type of TYPE_WINDOW_STATE_CHANGED is first check. To remove malware you\r\nprobably go to Settings. Settings is also an android application called com.android.settings . Second check is if\r\ntriggered event comes from com.android.settings . Then malware checks if certain strings in Event description.\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 5 of 12\n\nFirst check is for name of the app you clicked :\r\nServis Guncellemesi (this.a.i(this))\r\nThen below strings:\r\nuninstall (this.f)\r\nto remove (this.g)\r\nIf all conditions hold, an Activity is triggered a() . This activity just opens AlertDialog which says System apps\r\ncannot be deleted . Since Application doesnt have any Launchable content, android opens alert box in the\r\nHomescreen. So whenever you try to open Malware’s details in Settings you forwarded to homescreen with alert\r\nbox and you can’t delete app.\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 6 of 12\n\nMaybe if I remove Accessibility permission from app, I should able to remove it right ? No. Lets say you removed\r\npermission. All’s fine. But when you open Settings again, malware will constantly ask you to give permission.\r\nYou cant navigate to Apps section of Settings to remove app. Fine, maybe If I reboot then I can remove app ?\r\nRemember RECEIVE_BOOT_COMPLETED permission ? App will start again and ask for Accessibility permission. But\r\nyou have other ways to remove the app. If you have application manager apps with package name other than\r\ncom.android.settings you can delete malware. Or by booting in safe mode. Also if you have adb enabled and\r\nyou know packagename you can delete it with : adb uninstall packagename . To learn package names you can\r\nlist all packages with adb shell pm list packages\r\nKeylogger\r\nNow we covered TYPE_WINDOW_STATE_CHANGED event. Lets look at other 3 event.\r\nTYPE_VIEW_CLICKED\r\nTYPE_VIEW_FOCUSED\r\nTYPE_VIEW_TEXT_CHANGED\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 7 of 12\n\nEVERY input box you click/focus and write text into it, will trigger one the three event. No matter what app you\r\nare in. So lets say TYPE_VIEW_TEXT_CHANGED event triggered and malware caught it. With just obj =\r\naccessibilityEvent.getText().toString(); it can get changed text and send back to its command and control\r\nserver. Event type 16 = TYPE_VIEW_TEXT_CHANGED\r\nRemember flickering after giving the accessibility permission to malware ? With accessibility, app can press\r\nbuttons (yes literally). Malware press yes without user interaction.\r\n1\r\n2\r\n3\r\nfor ( node : source.findAccessibilityNodeInfosByText(this.e)) {\r\n node.performAction(16);\r\n}\r\nYou guessed right, action 16 is ACTION_CLICK and this.e holds StringYes .\r\nPlay Protect\r\nEven though malware installed on the device from downloader without being flagged, Play Protect will constantly\r\nscan the device if its enabled and will flag anubis app as a malware. To overcome this malware tries to disable\r\nPlay protect.\r\nPackage List\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 8 of 12\n\nWhen malware installed, first thing it does is listing installed packages and sending it to command and control\r\nserver. These application names are sometimes used for another purpose. For example when threat actor knows\r\nyou have, lets say ‘com.x.bank’ app, threat actor sends sms that crafted for that app to lure user to open\r\ncom.x.bank application. You have received 10.000$. Login in to your X account With this technique user\r\nwill open that app and fake overlay will shown. This can be taught as backup plan for phishing user.\r\nHow can android app list installed packages ? Easy getInstalledApplications\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\npman = context.getPackageManager()\r\nfor ( ApplicationInfo appInf : pman.getInstalledApplications(128)){\r\n if(appInf.packageName.equals(\"com.x.bank\")){\r\n arrayList.add(\"com.x.bank\")\r\n }\r\n}\r\nOverlay Attack\r\nMalware authors always try to find creative ways to fool victims to get their information. Overlay attack is one of\r\nthem. Since early 2016 (MazarBot ) a lot of android malware used this technique for collecting user information.\r\nWhen targeted apps opened, malware triggers and pulls phishing page that generated for that targeted app from\r\ncommand and control server and overlays over targeted app. Showing it is easier.\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 9 of 12\n\n(random banking app is chosen. There are 100+ targeted apps)\r\nSince overlayed screen is similar to original app and process of overlaying is done in very short time, user\r\nprobably dont get suspicious. But how malware detects opened apps and overlays itself on top of another process\r\n? Lets find out !\r\nProcess Scanning\r\nGetting package list is not enough for overlay attack. Malware needs to know that user just opened “com.x.bank”\r\napp to make believable overlay scenerio. Or user wont fall it and be suspicious about it. There is no “an app\r\nopened” service in android. The way malware does is simple: somehow get running process list and get top\r\nprocess. Put that function in While(true){ } loop. This way you will know when new app opened. The ways of\r\ngetting process list differs in targeted SDK versions. Anubis need permission to get process list if API version is\r\ngreater than 23. It uses PACKAGE_USAGE_STATS permission to use UsageStatsManager and get list of running\r\nprocesses. If API version is \u003c 23 then there are functions to get list of processes without any permission. I’ll focus\r\non this topic on my next post. After getting process/package names, malware compare these with banking apps\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 10 of 12\n\npackage names. Then opens up corresponding phishing page through webView. This action doesn’t need any\r\npermission. Any app can open itself without user interaction ! (Not in Android 9 YAY !)\r\nThen collected data will be send to command and control server.\r\nBattery issues\r\nBut running in forever loop will cause some battery issues right? Battery optimizing apps will close malware.\r\nMalware author was aware of this and here comes another permission REQUEST_IGNORE_BATTERY_OPTIMIZATIONS .\r\nWith this permission app will not seen in battery optimizations.\r\nSMS Interception and Call forwarding\r\nThis is scary part. Malware already have SMS_READ permission for reading sms. Why ? For OTP codes.\r\nAddition to reading, malware requests for being default SMS app. If user accepts, threat actor behind the\r\ncommand and control server can delete SMS from device. Then sms will be removed and user wont have any\r\nclue.\r\nCall forwarding, oh this is really scary. Lets say bank understood user is victim of malware. Calls him/her number.\r\nBut who opens the phone ? threat actor.\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 11 of 12\n\nConclusion\r\nTwo permission for two stages of anubis. REQUEST_INSTALL_PACKAGES and PACKAGE_USAGE_STATS these are\r\nreleated to core components of the malware to fool user. I hope you learned something new about android\r\nmalware. If you have any question feel free to ask me @0xabc0\r\nWhile writing this post, Android announced 9 beta with great security related news ! Now apps can’t open itself\r\nwithout user interaction, no more overlay tactics for malware !\r\nReference\r\nAnubis Image gregory-the-gregory\r\nReadings\r\nAnubis Related:\r\nKoodous for finding anubis sample\r\nLukasStefanko’s twitter thread\r\nTrend Micro’s post about Anubis\r\nIBM X-Force’s post about Anubis\r\nSophos Labs’ post about Anubis\r\nIf you want to read related posts about android malware heres my other posts:\r\nHow to defeat packers in Android ecosystem\r\nHow to setup android malware analysis lab (in Turkish)\r\nSource: https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nhttps://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/"
	],
	"report_names": [
		"Mobile-Malware-Analysis-Tricks-used-in-Anubis"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434357,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/170ba51d7037a3551f49cff78e1f2aa54a76e407.pdf",
		"text": "https://archive.orkl.eu/170ba51d7037a3551f49cff78e1f2aa54a76e407.txt",
		"img": "https://archive.orkl.eu/170ba51d7037a3551f49cff78e1f2aa54a76e407.jpg"
	}
}