{
	"id": "9d2befcd-0561-4157-a3c7-ff752f57bc05",
	"created_at": "2026-04-06T00:21:04.718016Z",
	"updated_at": "2026-04-10T03:30:33.415581Z",
	"deleted_at": null,
	"sha1_hash": "d8c44b1705f5debea5243bb09db089a7ce489aa6",
	"title": "Anubis (Malware Family)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 78229,
	"plain_text": "Anubis (Malware Family)\r\nBy Fraunhofer FKIE\r\nArchived: 2026-04-05 13:57:23 UTC\r\nAnubis\r\naka: BankBot, android.bankbot, android.bankspy\r\nBleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted\r\nplatforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims\r\nthink it's a legitimate login form when in reality, inputted credentials are sent to the attackers.\r\nIn the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:\r\nRecording screen activity and sound from the microphone\r\nImplementing a SOCKS5 proxy for covert communication and package delivery\r\nCapturing screenshots\r\nSending mass SMS messages from the device to specified recipients\r\nRetrieving contacts stored on the device\r\nSending, reading, deleting, and blocking notifications for SMS messages received by the device\r\nScanning the device for files of interest to exfiltrate\r\nLocking the device screen and displaying a persistent ransom note\r\nSubmitting USSD code requests to query bank balances\r\nCapturing GPS data and pedometer statistics\r\nImplementing a keylogger to steal credentials\r\nMonitoring active apps to mimic and perform overlay attacks\r\nStopping malicious functionality and removing the malware from the device\r\nReferences\r\n2025-05-19 ⋅ cocomelonc ⋅\r\nAIYA - Mobile malware development book. First edition\r\nAndroRAT Anubis CraxsRAT Dendroid FakeGram Hydra IPStorm SpyNote\r\n2022-07-11 ⋅ Security Affairs ⋅ Pierluigi Paganini\r\nAnubis Networks is back with new C2 server\r\nAnubis\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis\r\nPage 1 of 4\n\n2022-05-29 ⋅ muha2xmad ⋅ Muhammad Hasan Ali\r\nFull Anubis android malware analysis\r\nAnubis\r\n2022-03-01 ⋅ VirusTotal ⋅ VirusTotal\r\nVirusTotal's 2021 Malware Trends Report\r\nAnubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT\r\nOrcus RAT\r\n2021-08-27 ⋅ 0x1c3n.tech ⋅ 0x1c3N\r\nAnubis Android Malware Analysis\r\nAnubis\r\n2021-04-28 ⋅ ThreatFabric ⋅ ThreatFabric\r\nThe Rage of Android Banking Trojans\r\nAnubis Gustuff Medusa\r\n2021-02-24 ⋅ RiskIQ ⋅ Jordan Herman\r\nTurkey Dog: Cerberus and Anubis Banking Trojans Target Turkish Speakers\r\nAnubis Cerberus\r\n2020-12-10 ⋅ Intel 471 ⋅ Intel 471\r\nNo pandas, just people: The current state of China’s cybercrime underground\r\nAnubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT\r\n2020-11-21 ⋅ Medium Intel-Honey ⋅ Twitter (@intel_honey)\r\nReversing Anubis Malware\r\nAnubis\r\n2020-07-04 ⋅ N1ght-W0lf Blog ⋅ Abdallah Elshinbary\r\nDeep Analysis of Anubis Banking Malware\r\nAnubis\r\n2020-05-09 ⋅ BushidoToken ⋅ BushidoToken\r\nTurkey targeted by Cerberus and Anubis Android banking Trojan campaigns\r\nAnubis Cerberus\r\n2020-04-23 ⋅ Youtube (Lukas Stefanko) ⋅ Lukáš Štefanko\r\nAndroid banking Trojan Anubis | Malware demo | infected device | covid19 | targets Italy\r\nAnubis\r\n2020-03-26 ⋅ Bitdefender ⋅ Liviu Arsene\r\nAndroid Apps and Malware Capitalize on Coronavirus\r\nAnubis Joker\r\n2020-02-25 ⋅ Kaspersky Labs ⋅ Victor Chebyshev\r\nMobile malware evolution 2019\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis\r\nPage 2 of 4\n\nAnubis Asacub Dvmap FlexNet HiddenAd Marcher Svpeng Triada\r\n2020-02-01 ⋅ ThreatFabric ⋅ ThreatFabric\r\n2020 - Year of the RAT\r\nAnubis Cerberus Ginp Gustuff Hydra\r\n2019-04-07 ⋅ Eybisi ⋅ Eybisi\r\nMobile Malware Analysis : Tricks used in Anubis\r\nAnubis\r\n2019-03-13 ⋅ Pentest Blog ⋅ Ahmet Bilal Can\r\nN Ways to Unpack Mobile Malware\r\nAnubis\r\n2019-01-17 ⋅ Trend Micro ⋅ Kevin Sun\r\nGoogle Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics\r\nAnubis\r\n2018-09-10 ⋅ Security Boulevard ⋅ Gary Warner\r\nAndroid Malware Intercepts SMS 2FA: We have the Logs\r\nAnubis\r\n2018-08-30 ⋅ Random RE ⋅ sysopfb\r\nManually unpacking Anubis APK\r\nAnubis\r\n2018-03-13 ⋅ PhishLabs ⋅ Joshua Shilko\r\nNew Variant of BankBot Banking Trojan Ups Ante, Cashes Out on Android Users\r\nAnubis\r\n2017-11-21 ⋅ ESET Research ⋅ Lukáš Štefanko\r\nNew campaigns spread banking malware through Google Play\r\nAnubis\r\n2017-09-19 ⋅ Fortinet ⋅ Dario Durando\r\nA Look Into The New Strain Of BankBot\r\nAnubis\r\n2017-07-27 ⋅ Security Intelligence ⋅ Limor Kessem, Shachar Gritzman\r\nAfter Big Takedown Efforts, 20 More BankBot Mobile Malware Apps Make It Into Google Play\r\nAnubis\r\n2017-05-30 ⋅ Koodous ⋅ entdark\r\nBankbot on Google Play\r\nAnubis\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis\r\nPage 3 of 4\n\n2017-05-09 ⋅ Lukáš Štefanko\r\nTracking Android BankBot\r\nAnubis\r\n2017-04-26 ⋅ Fortinet ⋅ Dario Durando, David Maciejak\r\nBankBot, the Prequel\r\nAnubis\r\n2017-04-13 ⋅ Koodous ⋅ Koodous Blog\r\nDecrypting Bankbot communications.\r\nAnubis\r\nThere is no Yara-Signature yet.\r\nSource: https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis\r\nhttps://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis"
	],
	"report_names": [
		"apk.anubis"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434864,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d8c44b1705f5debea5243bb09db089a7ce489aa6.pdf",
		"text": "https://archive.orkl.eu/d8c44b1705f5debea5243bb09db089a7ce489aa6.txt",
		"img": "https://archive.orkl.eu/d8c44b1705f5debea5243bb09db089a7ce489aa6.jpg"
	}
}