{
	"id": "97d875c9-cea1-4c1e-8f8c-3b54520d1a51",
	"created_at": "2026-04-06T00:11:32.994822Z",
	"updated_at": "2026-04-10T03:30:33.011159Z",
	"deleted_at": null,
	"sha1_hash": "bf3a4dc33b9437d16728cd2e357b76d26de20b6e",
	"title": "Google Play Apps Drop Anubis, Use Motion-based Evasion",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 801192,
	"plain_text": "Google Play Apps Drop Anubis, Use Motion-based Evasion\r\nBy Kevin Sun ( words)\r\nPublished: 2019-01-17 · Archived: 2026-04-05 23:48:43 UTC\r\nWe recently found two malicious apps on Google Play that drop wide-reaching banking malware. The two apps\r\nwere disguised as useful tools, simply named Currency Converter and BatterySaverMobi. Google has confirmed\r\nthat both these apps are no longer on the Play Store.\r\nThe battery app logged more than 5,000 downloads before it was taken down, and boasted a score of 4.5 stars\r\nfrom 73 reviewers. However, a close look at the posted reviews show signs that they may not have been valid;\r\nsome anonymous usernames were spotted and a few review statements are illogical and lack detail.\r\nWe looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the\r\nknown banking malware Anubisopen on a new tab (detected by Trend Micro as\r\nANDROIDOS_ANUBISDROPPER ). Upon analysis of the payload, we noted that the code is strikingly similar to\r\nknown Anubis samples. And we also saw that it connects to a command and control (C\u0026C) server with the\r\ndomain aserogeege.space, which is linked to Anubis as well.\r\nBesides aserogeege.space, 18 other malicious domains map to the IP address 47.254.26.2 and we confirmed that\r\nAnubis uses the subpath of these domains. These domains change IP addresses quite frequently and may have\r\nswitched six times since October 2018, showing just how active this particular campaign is.\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 1 of 12\n\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 2 of 12\n\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 3 of 12\n\nFigure 1. Images of the malicious apps on Google Play\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 4 of 12\n\nTable 1. Victim distribution for all BatterySaveMobi samples\r\nHow the apps evade detection\r\nThese apps don’t just use traditional evasion techniques; they also try to use the user and device’s motions to hide\r\ntheir activities.\r\nAs a user moves, their device usually generates some amount of motion sensor data. The malware developer is\r\nassuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not\r\ncreate that type of data. If that is the case, the developer can determine if the app is running in a sandbox\r\nenvironment by simply checking for sensor data.\r\nThe malicious app monitors the user's steps through the device motion sensor. If it senses that the user and the\r\ndevice are not moving (if it lacks sensor data and thus, might be running in a sandbox environment), then the\r\nmalicious code will not run.\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 5 of 12\n\nFigure 2. The malware tracks the user's movement; the malicious code will run if it senses motion\r\nCommand Action\r\n“::apk::” Download apk and trick user to install\r\n“kill” Stop running malicious code\r\nTable 2. C\u0026C server commands\r\nIf the malicious code runs, then the app will try to trick the users into downloading and installing its payload APK\r\nwith a fake system update.\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 6 of 12\n\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 7 of 12\n\nFigure 3. Fake system update\r\nOne of the ways the app developers hide the malicious server is by encoding it in Telegram and Twitter webpage\r\nrequests. The bank malware dropper will request Telegram or Twitter after it trusts the running device. By parsing\r\nthe response’s HTML content, it gets the C\u0026C server (aserogeege.space). Then, it registers with the C\u0026C server\r\nand checks for commands with an HTTP POST request. If the server responds to the app with an APK command\r\nand attaches the download URL, then the Anubis payload will be dropped in the background. It will try and trick\r\nusers into installing it with the fake system update seen in Figure 3.\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 8 of 12\n\nFigure 4. The encoded server URL, showing the text results in the URL of the C\u0026C server\r\nThe Anubis payload\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 9 of 12\n\nThe Anubis malware masquerades as a benign app, prompts the user to grant it accessibility rights, and also tries\r\nto steal account information. Banking trojans usually launch a fake overlay screenopen on a new tab when the user\r\naccesses a target app and tries to steal information when the user inputs account credentials into the overlay.\r\nHowever, Anubis’ process is a little different. It has a built-in keylogger that can simply steal a users’ account\r\ncredentials by logging the keystrokes. The malware can also take a screenshot of the infected users’ screen, which\r\nis another way to get the victims credentials.\r\nOur data shows that the latest version of Anubis has been distributed to 93 different countries and targets the users\r\nof 377 variations of financial apps to farm account details. We can also see that, if Anubis successfully runs, an\r\nattacker would gain access to contact lists as well as location. It would also have the ability to record audio, send\r\nSMS messages, make calls, and alter external storage. Anubis can use these permissions to send spam messages to\r\ncontacts, call numbers from the device, and other malicious activities. Previous researchopen on a new tab from\r\nsecurity company Quick Heal Technologies shows that versions of Anubis even function as a ransomware.\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 10 of 12\n\nFigure 5. Some of the financial apps Anubis targets\r\nGaps in mobile security can lead to severe consequences for many users because devices are used to hold so much\r\ninformation and connect to many different accounts. Users should be wary of any app that asks for banking\r\ncredentials in particular and be sure that they are legitimately linked to their bank.\r\nTrend Micro Solutions\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 11 of 12\n\nTrend Microopen on a new tab™ Mobile Security for Androidopen on a new tab™\r\nTrend Microopen on a new tab™ Mobile Security for Enterpriseopen on a new tab\r\nTrend Micro’s Mobile App Reputation Serviceopen on a new tab\r\nIndicators of Compromise\r\nSHA256 and URLs Definitions\r\nb012eb5538ad1d56c5bdf9fe9562791a163dffa4\r\nbc87c9fffcdac4eea1b84c62842ce1138fd90ed6\r\n7e025e21d445be9b6b12a9181ada4bab3db5819c\r\ne29c814c2527ebbac11398877beea2bc75b58ffd  \r\nIoCs\r\n16fc9bc96f58ba35a04ade2d961b0108d135caa5   Payload\r\nareadozemode.space selectnew25mode.space twethujsnu.cc project2anub.xyz\r\ntaiprotectsq.xyz uwannaplaygame.space projectpredator.space nihaobrazzzahit.top\r\naserogeege.space hdfuckedin18.top dingpsounda.space wantddantiprot.space\r\nprivateanbshouse.space seconddoxed.space firstdoxed.space oauth3.html5100.com\r\ndosandiq.space protect4juls.space wijariief.space scradm.in  \r\nCommand\r\nand control\r\nSource: https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.ht\r\nml\r\nhttps://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html\r\nPage 12 of 12",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"
	],
	"report_names": [
		"google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434292,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bf3a4dc33b9437d16728cd2e357b76d26de20b6e.pdf",
		"text": "https://archive.orkl.eu/bf3a4dc33b9437d16728cd2e357b76d26de20b6e.txt",
		"img": "https://archive.orkl.eu/bf3a4dc33b9437d16728cd2e357b76d26de20b6e.jpg"
	}
}