# Full Anubis android malware analysis **muha2xmad.github.io/malware-analysis/anubis/** May 27, 2022 ----- ----- ### Muhammad Hasan Ali Malware Analysis learner 4 minute read **As-salamu Alaykum** ## Introduction Anubis is an android malware or bank trojan collects sensitive data from the victim’s mobile such as financial data using read/write SMS and keylogging. Anubis targets turkish speaker and spreads through malicious websites which download directly anubis malware or through google play which download the dropper then the dropper downloads the anubis malware. [The sample from VT](https://www.virustotal.com/gui/file/8cb941658ed8340b67a38a47162ab8850b89a14eee2899f0761fadd4f648fd5e/details) [Download the sample from github](https://github.com/muha2xmad/Samples/blob/main/8cb941658ed8340b67a38a47162ab8850b89a14eee2899f0761fadd4f648fd5e.zip) ## Static analysis We try to decompile the apk file using `apktool command` `apktool d anubis.apk . Then` we open the decoded `AndroidManifest.xml file, we see many permissions which show` the capability of the malware. ----- Figure(1): permissions of the malware The malware has the capability of access location, read/write SMS, call phone, record autio, read contacts, and internet. We get back to the `apk file and` `unzip it. And convert the dalvik executable` ``` classes.dex file to java bytecode file using dex2jar command d2j-dex2jar classes.dex . Then open the classes.jar in jd-GUI to examine java code. ## Uninstall the app ``` When trying to uninstall the program, it forces you going to home screen. Using Accessibility [services run in background when AccessibilityEvent is fired then do something. In anubis, if](https://developer.android.com/reference/android/view/accessibility/AccessibilityEvent) malware app name, settings `com.android.settings, or remove/uninstall then go back to` home screen trigaring `to_home_screen() .` ----- Figure(2): attempting to uninstall the malware ## Capabilities The malware lots of Capabilities as we see VNC, keylogging, spam SMS, request location, disable play protect, and more. ----- Figure(3): Malware Capabilities ----- ## C2 server By searching with `http, we can find the C2 server` ``` hxxp://sosyalkampanya2.tk/dedebus/ which is used as VNC client. ``` Figure(4): C2 server The malware will try to get new C2 servers, which will be through twitter. It will query the twitter page which contains Chinese tweets and search for text from two tags 苏尔的开始 and 苏尔苏尔完 then loops to convert the Chinese chars with its related in English. Then the output will be in `Base64 which will be decoded and the next output will be in` `RC4` encryption and will be decrypted using key `zanibus` Figure(5): Get new C2 server from twitter ----- Figure(6): Decode and decrypt the output ## Anubis as a Keylogger When you try to enter text in any textbox, the event `TYPE_VIEW_TEXT_CHANGED and its` event type is `16 will be triggered and save the text into` `keys.log then send it to the C2` server. Figure(7): Keylogging function Figure(8): If C2 sends a command contains Clear, then deletes key strokes saved ## Receiving commands The malware receives many encrypted commands from the C2 server and then decrypts it as we see when getting new C2 server such as `opendir,` `downloadfile,` ``` deletefilefolder, getIP . In long string of commands, commands are separated by ``` ----- Figure(9): receives encrypted commands and decryptes it ## Intercepting and forwarding Calls and SMS The malware can Intercepting and forwarding Calls and SMS which used in bank varifications. In SMS, can forward the OTP SMS. In Calls, varification and warning calls Figure(10): Intercepting and forwarding Calls ## Anubis as a ransomware The malware acts as a ransomware which can encrypt files located in `/mnt,` `/mount,` ``` /sdcard, and /storage . ``` ----- Figure(11): Anubis as a ransomware The malware will use RC4 encryption to encrypt the files with a key which is received from the C2 server then save the encrypted data and deletes the original data. The key is used as a decryption and encryptio data. ----- Figure(12): Anubis encrypts and decrypts data ## Anubis with overlay attack The malware searches for specific apps by comparing the installed apps to list of hardcoded [apps -most of them is banking apps- to perform overlay attack. The malware opens an active](https://encyclopedia.kaspersky.com/glossary/overlaying-overlay-attack/) window over a legitimate program. The opened malicious window is the same as the legitimate program. The malware can steal the victim’s credential data such as payment data or login data. ----- Figure(13): Targeted apps Figure(14): Webview over the legitimate program ## Disable play protect This is an installed malware on the device, then how it didn’t flag as a malware by play protect? The malware disables play protect ----- Figure(15): Anubis disables play protect ## IoCs **No.** **Description** **Hash and URLs** 1 The APK hash (MD5) ba7b1ba0830e11da60dec1c90632515d 2 C2 server hxxp://sosyalkampanya2.tk/dedebus/ 3 related C2 Server hxxp://twitter.com/qweqweqwe 4 related C2 Server hxxp://twitter.com/ankaratakipte ## Article quote وﻣﻦ ﻟﻢ ﯾﻜﻦ ﻓﻲ ﻣﻌﯿّﺔ اﷲ ﻓﻬﻮ ﻫﺎﻟﻚ ## REF [https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/](https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/) [https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/](https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/) -----