{
	"id": "e232c7c1-d2dd-44e7-9054-82e355cbd2a4",
	"created_at": "2026-04-06T00:19:09.723789Z",
	"updated_at": "2026-04-10T03:30:33.382432Z",
	"deleted_at": null,
	"sha1_hash": "6e4b7c9b3825a5a7ab969041781395ad33c9159d",
	"title": "Anubis Targets 250 Android Apps with Ransomware | Cofense",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 75436,
	"plain_text": "Anubis Targets 250 Android Apps with Ransomware | Cofense\r\nPublished: 2020-02-05 · Archived: 2026-04-05 20:47:56 UTC\r\nRetarus Email Security\r\nBy Marcel Feller\r\nThe Cofense Phishing Defense Center uncovered a phishing campaign that specifically targets users of Android\r\ndevices that could result in compromise if unsigned Android applications are permitted on the device.\r\nThe campaign seeks to deliver Anubis, a particularly nasty piece of malware that was originally used for cyber\r\nespionage and retooled as a banking trojan. Anubis can completely hijack an Android mobile device, steal data,\r\nrecord phone calls, and even hold the device to ransom by encrypting the victim’s personal files. With mobile\r\ndevices increasingly used in the corporate environment, thanks to the popularity of BYOD policies, this malware\r\nhas the potential to cause serious harm, mostly to consumers, and businesses that allow the installation of\r\nunsigned applications.\r\nHere’s how it works:\r\nAt first glance, the email shown in Figure 1 looks like any other phishing email that asks the user to download an\r\ninvoice. However, this particular email downloads an Android Package Kit (APK), which is the common format\r\nused by Android to distribute and install applications. Let’s take a closer look at the suspicious file.\r\nFigure 1 – Phishing Email\r\nWhen the email link is opened from an Android device, an APK file (Fattura002873.apk), is downloaded. Upon\r\nopening the file, the user is asked to enable “Google Play Protect” as shown in Figure 2. However, this is not a\r\ngenuine “Google Play Protect” screen; instead it gives the app all the permissions it needs while simultaneously\r\ndisabling the actual Google Play Protect.\r\nFigure 2 – Granting Permissions\r\nThe following permissions are granted to the app:\r\nFigure 3 – Permissions Granted to App\r\nA closer look at the code reveals the application gathers a list of installed applications to compare the results\r\nagainst a list of targeted applications (Figure 4). The malware mainly targets banking and financial applications,\r\nbut also looks for popular shopping apps such as eBay or Amazon. A full list of targeted applications is included in\r\nthe IOC section at the end of this post. Once an application has been identified, Anubis overlays the original\r\napplication with a fake login page to capture the user’s credentials.\r\nFigure 4 – Checking for installed apps\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 1 of 10\n\nBased on a thorough analysis of the code, the most interesting technical capabilities include:\r\nCapturing screenshots\r\nEnabling or changing administration settings\r\nOpening and visiting any URL\r\nDisabling Play Protect\r\nRecording audio\r\nMaking phone calls\r\nStealing the contact list\r\nControlling the device via VNC\r\nSending, receiving and deleting SMS\r\nLocking the device\r\nEncrypting files on the device and external drives\r\nSearching for files\r\nRetrieving the GPS location\r\nCapturing remote control commands from Twitter and Telegram\r\nPushing overlays\r\nReading the device ID\r\nThe malware includes a keylogger that works in every app installed on the Android device. However, the\r\nkeylogger needs to be specifically enabled by a command sent from the C2 server. The keylogger can track three\r\ndifferent events (Figure 5):\r\nTYPE_VIEW_CLICKED\r\nRepresents the event of clicking on a View-like Button,\r\nCompoundButton, etc.\r\nTYPE_VIEW_FOCUSED Represents the event of setting input focus of a View.\r\nTYPE_VIEW_TEXT_CHANGED Represents the event of changing the text of an EditText.\r\nFigure 5 – Keylogger component\r\nFigure 6 shows one of the most noteworthy functions of Anubis: its ransomware module. The malware searches\r\nboth internal and external storage and encrypts them using RC4. It adds the file extension .AnubisCrypt to each\r\nencrypted file and sends it to the C2.\r\nFigure 6 – Ransomware component\r\nAnubis has been known to utilize Twitter or Telegram to retrieve the C2 address and this sample is no exception\r\n(Figure 7).\r\nFigure 7 – C2\r\nAs seen in Figure 8, this version of Anubis is built to run on several iterations of the Android operating system,\r\ndating back to version 4.0.3, which was released in 2012.\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 2 of 10\n\nFigure 8 – Android requirements\r\nAndroid malware has been around for many years and will be with us for the foreseeable future. Users who have\r\nconfigured their Android mobile device to receive work-related emails and allow installation of unsigned\r\napplications face the most risk of compromise. APK files will not natively open in an environment other than an\r\nAndroid device.  With the increased use of Android phones in business environments, it is important to defend\r\nagainst these threats by ensuring devices are kept current with the latest updates. Limiting app installations on\r\ncorporate devices, as well as ensuring that applications are created by trusted developers on official marketplaces,\r\ncan help in reducing the risk of infection as well.\r\nIndicators of Compromise4.0.3 or newerFile Name: Fattura002873.apk\r\nMD5: c027ec0f9855529877bc0d57453c5e86\r\nSHA256: c38c675a4342052a18e969e839cce797fef842b9d53032882966a3731ced0a70\r\nFile Size: 575,236 bytes (561K)hXXp://g28zjbmuc[.]pathareshubhmangalkaryalay[.]com\r\nhXXp://73mw001b0[.]pragatienterprises[.]in[.]net/\r\nhXXp://hrlny7si9[.]pathareshubhmangalkaryalay[.]com/\r\nhXXp://w0puz47[.]arozasehijos[.]cl/\r\nhXXp://hovermop[.]com/Fattura002873[.]apk\r\nhXXps://twitter[.]com/qweqweqwe\r\nhXXp://ktosdelaetskrintotpidor[.]com\r\nhXXp://sositehuypidarasi[.]com\r\nhXXp://cdnjs[.]su/fafa[.]php?f=\r\nhXXp://cdnjs[.]su/o1o/a1[.]php\r\nhXXp://cdnjs[.]su/o1o/a10[.]php\r\nhXXp://cdnjs[.]su/o1o/a11[.]php\r\nhXXp://cdnjs[.]su/o1o/a12[.]php\r\nhXXp://cdnjs[.]su/o1o/a13[.]php\r\nhXXp://cdnjs[.]su/o1o/a14[.]php\r\nhXXp://cdnjs[.]su/o1o/a15[.]php\r\nhXXp://cdnjs[.]su/o1o/a16[.]php\r\nhXXp://cdnjs[.]su/o1o/a2[.]php\r\nhXXp://cdnjs[.]su/o1o/a3[.]php\r\nhXXp://cdnjs[.]su/o1o/a4[.]php\r\nhXXp://cdnjs[.]su/o1o/a5[.]php\r\nhXXp://cdnjs[.]su/o1o/a6[.]php\r\nhXXp://cdnjs[.]su/o1o/a7[.]php\r\nhXXp://cdnjs[.]su/o1o/a8[.]php\r\nhXXp://cdnjs[.]su/o1o/a9[.]phpat.spardat.bcrmobile\r\nat.spardat.netbanking\r\ncom.bankaustria.android.olb\r\ncom.bmo.mobile\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 3 of 10\n\ncom.cibc.android.mobi\r\ncom.rbc.mobile.android\r\ncom.scotiabank.mobile\r\ncom.td\r\ncz.airbank.android\r\neu.inmite.prj.kb.mobilbank\r\ncom.bankinter.launcher\r\ncom.kutxabank.android\r\ncom.rsi\r\ncom.tecnocom.cajalaboral\r\nes.bancopopular.nbmpopular\r\nes.evobanco.bancamovil\r\nes.lacaixa.mobile.android.newwapicon\r\ncom.dbs.hk.dbsmbanking\r\ncom.FubonMobileClient\r\ncom.hangseng.rbmobile\r\ncom.MobileTreeApp\r\ncom.mtel.androidbea\r\ncom.scb.breezebanking.hk\r\nhk.com.hsbc.hsbchkmobilebanking\r\ncom.aff.otpdirekt\r\ncom.ideomobile.hapoalim\r\ncom.infrasofttech.indianBank\r\ncom.mobikwik_new\r\ncom.oxigen.oxigenwallet\r\njp.co.aeonbank.android.passbook\r\njp.co.netbk\r\njp.co.rakuten_bank.rakutenbank\r\njp.co.sevenbank.AppPassbook\r\njp.co.smbc.direct\r\njp.mufg.bk.applisp.app\r\ncom.barclays.ke.mobile.android.ui\r\nnz.co.anz.android.mobilebanking\r\nnz.co.asb.asbmobile\r\nnz.co.bnz.droidbanking\r\nnz.co.kiwibank.mobile\r\ncom.getingroup.mobilebanking\r\neu.eleader.mobilebanking.pekao.firm\r\neu.eleader.mobilebanking.raiffeisen\r\npl.bzwbk.bzwbk24\r\npl.ipko.mobile\r\npl.mbank\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 4 of 10\n\nalior.bankingapp.android\r\ncom.comarch.mobile.banking.bgzbnpparibas.biznes\r\ncom.comarch.security.mobilebanking\r\ncom.empik.empikapp\r\ncom.finanteq.finance.ca\r\ncom.orangefinansek\r\neu.eleader.mobilebanking.invest\r\npl.aliorbank.aib\r\npl.allegro\r\npl.bosbank.mobile\r\npl.bph\r\npl.bps.bankowoscmobilna\r\npl.bzwbk.ibiznes24\r\npl.bzwbk.mobile.tab.bzwbk24\r\npl.ceneo\r\npl.com.rossmann.centauros\r\npl.fmbank.smart\r\npl.ideabank.mobilebanking\r\npl.ing.mojeing\r\npl.millennium.corpApp\r\npl.orange.mojeorange\r\npl.pkobp.iko\r\npl.pkobp.ipkobiznes\r\ncom.kuveytturk.mobil\r\ncom.magiclick.odeabank\r\ncom.mobillium.papara\r\ncom.pozitron.albarakaturk\r\ncom.teb\r\ncom.tmob.denizbank\r\ncom.vakifbank.mobilel\r\ntr.com.sekerbilisim.mbank\r\nwit.android.bcpBankingApp.millenniumPL\r\ncom.advantage.RaiffeisenBank\r\nhr.asseco.android.jimba.mUCI.ro\r\nmay.maybank.android\r\nro.btrl.mobile\r\ncom.amazon.mShop.android.shopping\r\nru.sberbankmobile\r\nru.alfabank.mobile.android\r\nru.mw\r\ncom.idamob.tinkoff.android\r\ncom.ebay.mobile\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 5 of 10\n\nru.vtb24.mobilebanking.android\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.ykb.android\r\ncom.softtech.iscek\r\ncom.finansbank.mobile.cepsube\r\ncom.garanti.cepsubesi\r\ncom.tmobtech.halkbank\r\ncom.ziraat.ziraatmobil\r\nde.comdirect.android\r\nde.commerzbanking.mobil\r\nde.consorsbank\r\ncom.db.mm.deutschebank\r\nde.dkb.portalapp\r\ncom.ing.diba.mbbr2\r\nde.postbank.finanzassistent\r\nmobile.santander.de\r\nde.fiducia.smartphone.android.banking.vr\r\nfr.creditagricole.androidapp\r\nfr.axa.monaxa\r\nfr.banquepopulaire.cyberplus\r\nnet.bnpparibas.mescomptes\r\ncom.boursorama.android.clients\r\ncom.caisseepargne.android.mobilebanking\r\nfr.lcl.android.customerarea\r\ncom.paypal.android.p2pmobile\r\ncom.konylabs.capitalone\r\ncom.chase.sig.android\r\ncom.infonow.bofa\r\ncom.wf.wellsfargomobile\r\nuk.co.bankofscotland.businessbank\r\ncom.rbs.mobile.android.natwestoffshore\r\nuk.co.santander.santanderUK\r\ncom.usbank.mobilebanking\r\ncom.usaa.mobile.android.usaa\r\ncom.suntrust.mobilebanking\r\ncom.moneybookers.skrillpayments.neteller\r\ncom.clairmail.fth\r\ncom.ifs.banking.fiid4202\r\ncom.rbs.mobile.android.ubr\r\ncom.htsu.hsbcpersonalbanking\r\ncom.grppl.android.shell.halifax\r\ncom.grppl.android.shell.CMBlloydsTSB73\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 6 of 10\n\ncom.barclays.android.barclaysmobilebanking\r\nsk.sporoapps.accounts\r\ncom.cleverlance.csas.servis24\r\ncom.unionbank.ecommerce.mobile.android\r\ncom.ing.mobile\r\ncom.snapwork.hdfc\r\ncom.sbi.SBIFreedomPlus\r\nhdfcbank.hdfcquickbank\r\ncom.csam.icici.bank.imobile\r\nin.co.bankofbaroda.mpassbook\r\ncom.axis.mobile\r\ncz.csob.smartbanking\r\ncz.sberbankcz\r\norg.westpac.bank,nz.co.westpac\r\nau.com.suncorp.SuncorpBank\r\norg.stgeorge.bank\r\norg.banksa.bank\r\nau.com.newcastlepermanent\r\nau.com.nab.mobile\r\nau.com.mebank.banking\r\nau.com.ingdirect.android\r\ncom.imb.banking2\r\ncom.commbank.netbank\r\ncom.citibank.mobile.au\r\ncom.fusion.ATMLocator\r\norg.bom.bank\r\nau.com.cua.mb\r\ncom.anz.android.gomoney\r\ncom.bendigobank.mobile\r\ncom.bbva.bbvacontigo\r\ncom.bbva.netcash\r\nau.com.bankwest.mobile\r\ncom.cm_prod.bad\r\nmobi.societegenerale.mobile.lappli\r\nat.bawag.mbanking\r\ncom.pozitron.iscep\r\ncom.bankofqueensland.boq\r\ncom.starfinanz.smob.android.sfinanzstatus\r\nfr.laposte.lapostemobile\r\ncom.starfinanz.smob.android.sbanking\r\nat.easybank.mbanking\r\ncom.palatine.android.mobilebanking.prod\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 7 of 10\n\nat.volksbank.volksbankmobile\r\ncom.isis_papyrus.raiffeisen_pay_eyewdg\r\nes.cm.android\r\ncom.jiffyondemand.user\r\ncom.latuabancaperandroid\r\ncom.latuabanca_tabperandroid\r\ncom.lynxspa.bancopopolare\r\ncom.unicredit\r\nit.bnl.apps.banking\r\nit.bnl.apps.enterprise.bnlpay\r\nit.bpc.proconl.mbplus\r\nit.copergmps.rt.pf.android.sp.bmps\r\nit.gruppocariparma.nowbanking\r\nit.ingdirect.app\r\nit.nogood.container\r\nit.popso.SCRIGNOapp\r\nposteitaliane.posteapp.apppostepay\r\ncom.abnamro.nl.mobile.payments\r\ncom.triodos.bankingnl\r\nnl.asnbank.asnbankieren\r\nnl.snsbank.mobielbetalen\r\ncom.btcturk\r\ncom.ingbanktr.ingmobil\r\nfinansbank.enpara\r\ntr.com.hsbc.hsbcturkey\r\ncom.att.myWireless\r\ncom.vzw.hss.myverizon\r\naib.ibank.android\r\ncom.bbnt\r\ncom.csg.cs.dnmbs\r\ncom.discoverfinancial.mobile\r\ncom.eastwest.mobile\r\ncom.fi6256.godough\r\ncom.fi6543.godough\r\ncom.fi6665.godough\r\ncom.fi9228.godough\r\ncom.fi9908.godough\r\ncom.ifs.banking.fiid1369\r\ncom.ifs.mobilebanking.fiid3919\r\ncom.jackhenry.rockvillebankct\r\ncom.jackhenry.washingtontrustbankwa\r\ncom.jpm.sig.android\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 8 of 10\n\ncom.sterling.onepay\r\ncom.svb.mobilebanking\r\norg.usemployees.mobile\r\npinacleMobileiPhoneApp.android\r\ncom.fuib.android.spot.online\r\ncom.ukrsibbank.client.android\r\nru.alfabank.mobile.ua.android\r\nua.aval.dbo.client.android\r\nua.com.cs.ifobs.mobile.android.otp\r\nua.com.cs.ifobs.mobile.android.pivd\r\nua.oschadbank.online\r\nua.privatbank.ap24\r\ncom.Plus500\r\neu.unicreditgroup.hvbapptan\r\ncom.targo_prod.bad\r\ncom.db.pwcc.dbmobile\r\ncom.db.mm.norisbank\r\ncom.bitmarket.trader\r\ncom.plunien.poloniex\r\ncom.mycelium.wallet\r\ncom.bitfinex.bfxapp\r\ncom.binance.dev\r\ncom.binance.odapplications\r\ncom.blockfolio.blockfolio\r\ncom.crypter.cryptocyrrency\r\nio.getdelta.android\r\ncom.edsoftapps.mycoinsvalue\r\ncom.coin.profit\r\ncom.mal.saul.coinmarketcap\r\ncom.tnx.apps.coinportfolio\r\ncom.coinbase.android\r\nde.schildbach.wallet\r\npiuk.blockchain.android\r\ninfo.blockchain.merchant\r\ncom.jackpf.blockchainsearch\r\ncom.unocoin.unocoinwallet\r\ncom.unocoin.unocoinmerchantPoS\r\ncom.thunkable.android.santoshmehta364.UNOCOIN_LIVE\r\nwos.com.zebpay\r\ncom.localbitcoinsmbapp\r\ncom.thunkable.android.manirana54.LocalBitCoins\r\ncom.localbitcoins.exchange\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 9 of 10\n\ncom.coins.bit.local\r\ncom.coins.ful.bit\r\ncom.jamalabbasii1998.localbitcoin\r\nzebpay.Application\r\ncom.bitcoin.ss.zebpayindia\r\ncom.kryptokit.jaxxHOW COFENSE CAN HELP\r\nEvery day, the Cofense Phishing Defense Center analyzes phishing emails with malware payloads found in\r\nprotected email environments. 100% of the threats found by the Cofense PDC were identified by the end user. 0%\r\nwere stopped by technology.\r\nCondition users to be resilient to evolving phishing attacks with Cofense PhishMe and remove the blind spot with\r\nCofense Reporter. Cofense PhishMe offers a simulation template, “Electricity Bill Invoice – Anubis – Italian,” to\r\neducate users on the phishing tactic described in this blog.\r\nQuickly turn user reported emails into actionable intelligence with Cofense Triage. Reduce exposure time by\r\nrapidly quarantining threats with Cofense Vision.\r\nEasily consume phishing-specific threat intelligence to proactively defend your organization against evolving\r\nthreats with Cofense Intelligence. Cofense Intelligence customers received further information about this threat in\r\nActive Threat Report (ATR) 33675 and the YARA Rule PM_Intel_Anubis_33675.\r\nThanks to our unique perspective, no one knows more about providing phishing awareness training and REAL\r\nphishing threats than Cofense. To understand them better, read the 2019 Phishing Threat \u0026 Malware Review.\r\nThe Cofense® and PhishMe® names and logos, as well as any other Cofense product or service names or logos\r\ndisplayed on this blog are registered trademarks or trademarks of Cofense Inc. All third-party trademarks\r\nreferenced by Cofense whether in logo form, name form or product form, or otherwise, remain the property of\r\ntheir respective holders, and use of these trademarks in no way indicates any relationship between Cofense and\r\nthe holders of the trademarks. Any observations contained in this blog regarding circumvention of end point\r\nprotections are based on observations at a point in time based on a specific set of system\r\nconfigurations. Subsequent updates or different configurations may be effective at stopping these or similar\r\nthreats.\r\nSource: https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-and\r\nroid-applications/\r\nhttps://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"
	],
	"report_names": [
		"infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434749,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6e4b7c9b3825a5a7ab969041781395ad33c9159d.pdf",
		"text": "https://archive.orkl.eu/6e4b7c9b3825a5a7ab969041781395ad33c9159d.txt",
		"img": "https://archive.orkl.eu/6e4b7c9b3825a5a7ab969041781395ad33c9159d.jpg"
	}
}