{
	"id": "1644c76a-a102-4876-be38-31f1a1cca6fc",
	"created_at": "2026-04-06T00:07:28.651295Z",
	"updated_at": "2026-04-10T03:30:33.368713Z",
	"deleted_at": null,
	"sha1_hash": "e60d778b85e5233e092f4a958da1679c243539c9",
	"title": "Anubis Mobile Malware Strikes Again As Fake Antivirus",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1360905,
	"plain_text": "Anubis Mobile Malware Strikes Again As Fake Antivirus\r\nPublished: 2021-05-02 · Archived: 2026-04-05 12:55:56 UTC\r\nMobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus\r\nMobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake\r\nAntivirus\r\nMobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus \r\nAnubis is an Android banking Trojan created and advertised by a threat actor with the nickname “maza-in”. This malware\r\nfamily has been conducting well-known overlay attacks by combining advanced features such as the capability to stream\r\nscreens, record sounds, browse files remotely, keylogging abilities, and the capability to function as a network proxy. These\r\nfeatures make it an effective banking malware and a potential tool for spying. \r\nGenerally, this malware operates by tricking unsuspecting victims into submitting confidential and sensitive information\r\nsuch as online banking credentials, banking security codes, and Credit Card details. Being a banking Trojan does not mean\r\nthat the Anubis malware variant will masquerade as a banking app; in most cases, it is disguised as a third-party app. Some\r\nof the disguises used by Anubis are fake mobile games, software updates, post/mail apps, flash-player apps, utility apps,\r\nfake browsers and even social-network and communication apps. \r\nWorld's Best AI-Native Threat Intelligence\r\nThe list of malware features of Anubis is shown below: \r\nOverlaying: Static (hardcoded in bot) \r\nOverlaying: Dynamic (C2 based) \r\nKeylogging \r\nContact list collection \r\nScreen streaming \r\nSound recording \r\nSMS harvesting: SMS forwarding \r\nSMS blocking \r\nSMS sending \r\nFiles/pictures collection \r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 1 of 10\n\nCalls: USSD request making \r\nRansomware: Cryptolocker \r\nRemote actions: Data-wiping \r\nRemote actions: Back-connect proxy \r\nNotifications: Push notifications \r\nC2 Resilience: Twitter/Telegram C2 update channels \r\nSome of the common delivery techniques that are used by Anubis malware are: \r\nGoogle Play campaigns:  \r\nThis includes Bypassing Google Play security mechanisms and spreading the Trojan using the official app store. \r\nSpam campaigns: \r\nThis uses SMS or emails with a request to install or update some legitimate application that links to the malware. \r\nWeb redirection: \r\nUsing advertisement on websites, hacked sites, traffic exchanges lures the victim to a fake landing page containing\r\na malware app. \r\nIn a recent tweet, a security engineer shared information about a fake antivirus android app camouflaged as a well-known\r\nantivirus and available from an unsecured web source. When users access the unsecure link available from the search engine\r\nfor download, it navigates them to an Index page with the file content named as “Avast Antivirus ULTIMATE\r\n2021.apk”, and on selecting it, users can download the APK file.  \r\nOn scanning the downloaded file through VirusTotal, it turned out to be a variant of the Banking Trojan Anubis detected by\r\nmultiple antivirus signatures, as shown in Figure 1. \r\nFigure 1 VirusTotal Detections of the App \r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 2 of 10\n\nFor further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the\r\napplication using the digest from the VirusTotal result.  \r\nFigure 2 Information available in the Cyble Threat Intelligence Platform \r\nTechnical Analysis: \r\n \r\nDigest used for our analysis: 34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb \r\n \r\nPackage Name: wocwvy.czyxoxmbauu.slsa \r\nMain Activity: wocwvy.czyxoxmbauu.slsa.ncec.myvbo \r\nUpon performing static analysis on the above app, the malware was found to be more like the Cerberus Banking Trojan\r\nmalware, which also steals victim data to access their bank accounts. The permissions used by this malware are listed below\r\nin the Fig. 3 \r\n \r\nFigure 3 Permissions requested by the app \r\nAfter opening the application, it requests users to enable the accessibility service from the settings to enable full access to\r\nthe app. After that, it lures victims into changing the Accessibility settings on their phones, forbidding them to uninstall the\r\napp. Also, through this service, the app executes screen taps and other commands without the user’s knowledge. \r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 3 of 10\n\nFigure 4 Accessibility service needs to be enabled for the app \r\nSome of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are\r\nlisted below: \r\nPermissions \r\nandroid.permission.SYSTEM_ALERT_WINDOW \r\nandroid.permission.GET_TASKS \r\nandroid.permission.RECEIVE_SMS \r\nandroid.permission.INTERNET \r\nandroid.permission.READ_SMS \r\nandroid.permission.PACKAGE_USAGE_STATS \r\nServices: \r\nwocwvy.czyxoxmbauu.slsa.lmimy \r\nwocwvy.czyxoxmbauu.slsa.wfveenegvz \r\nwocwvy.czyxoxmbauu.slsa.frvvkgp \r\nwocwvy.czyxoxmbauu.slsa.ukhakhcgifofl \r\nwocwvy.czyxoxmbauu.slsa.jtfxlnc \r\nwocwvy.czyxoxmbauu.slsa.blkzyyyfc \r\nwocwvy.czyxoxmbauu.slsa.whemsbk \r\nwocwvy.czyxoxmbauu.slsa.nepgaqmyfrhw \r\nwocwvy.czyxoxmbauu.slsa.clgqtzqdh \r\nwocwvy.czyxoxmbauu.slsa.usbvhkriufnc \r\nwocwvy.czyxoxmbauu.slsa.egxltnv \r\nwocwvy.czyxoxmbauu.slsa.kldqwysgkfcrmq \r\nwocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.jkeggfql \r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 4 of 10\n\nwocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.nvsdtnxkzjgw \r\nwocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.brtltydqhiuqbb \r\nwocwvy.czyxoxmbauu.slsa.xelytgswelv \r\nwocwvy.czyxoxmbauu.slsa.mvqkjokaxfrpf \r\nwocwvy.czyxoxmbauu.slsa.wahiuolww \r\nwocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.cpysnikhf \r\nwocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.wifu \r\nwocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.dshd \r\nwocwvy.czyxoxmbauu.slsa.kuv.sfswwunyakpjr \r\nwocwvy.czyxoxmbauu.slsa.ttiegryczsx \r\nwocwvy.czyxoxmbauu.slsa.blyvffs \r\nReceivers: \r\nwocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.cmtstflxlxb \r\nwocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.qpgopfninoaazln \r\nwocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hypihteeavv \r\nwocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hwfe \r\nIntent Filters by Action: \r\nandroid.intent.action.RESPOND_VIA_MESSAGE \r\nandroid.accessibilityservice.AccessibilityService \r\nandroid.intent.action.MAIN \r\nandroid.intent.action.SEND \r\nandroid.intent.action.SENDTO \r\nandroid.provider.Telephony.WAP_PUSH_DELIVER \r\nandroid.provider.Telephony.SMS_DELIVER \r\nandroid.intent.action.PACKAGE_ADDED \r\nandroid.intent.action.PACKAGE_REMOVED \r\nandroid.provider.Telephony.SMS_RECEIVED \r\nandroid.net.conn.CONNECTIVITY_CHANGE \r\nandroid.net.wifi.WIFI_STATE_CHANGED \r\nUsing the above permissions granted by users, the following activities are performed in the users’ devices: \r\n1. The app tries to get the accessibility permission for UI automation \r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 5 of 10\n\nFigure 5 Starts Activity based on Accessibility permission \r\n2. The malware makes the device ignore battery Optimization \r\nFigure 6 Checks for package and ignores Battery Optimization \r\n3. It will disable the administrator user access through the device policy manager \r\nFigure 7 Removing Active Admin User \r\n4. The malware runs a query to get the list of currently running apps along with the most recent running apps \r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 6 of 10\n\nFigure 8 Stores the list of recent running apps \r\n5. The malware protects itself from being removed or uninstalled and stays hidden from the application launcher \r\nFigure 9 Hides from the application launcher through package manager \r\n6. Monitors incoming text messages and creates data through PDU \r\nFigure 10 Gets Inflow of text messages \r\n7. Gets phone contact information from the victim’s device \r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 7 of 10\n\nFigure 11 Queries the Phone contacts \r\nAll the data collected from the devices are then sent to the C2 link, which seems to be encrypted in this app, and the\r\nencryption technique used is AES along with the key, as shown below in the Fig. 12.lo \r\nFigure 12 Encryption Technique used \r\nFollowing are the ways in which the above encryption techniques are used in multiple classes and methods, as shown in Fig.\r\n13. \r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 8 of 10\n\nFigure 13 Uses of the Encryption Technique \r\nOn decrypting the above string and on performing the Dynamic analysis on the same, we found that the collected data is sent\r\nto the well-known C2 link of the Anubis variant. \r\n C2 link: hxxp://darkweb[.]bitcoingen[.]store//o1o/a16[.]php \r\nUnder normal circumstances, before downloading, users can identify whether an APK is authentic or fake based on\r\nthe following criteria:  \r\n \r\n1. Source of the file (Secure/Not secure) is a good indicator of whether the app is genuine or fake. For\r\ninstance, before downloading an application from an unkown source such as a web URL, it is important to check if\r\nthe source is secure. \r\n2. Size of the app. For example, the size of a fake app is less when compared with an authentic one. \r\n3. Spelling errors or Icon mismatches can also help distinguish fake apps from genuine ones. \r\nBy these parameters, the APK downloaded from the provided URL was identified as a fake app. In addition, the size of\r\nthe downloaded app is around 500 KB, while commonly, any antivirus APK size would be around a few MBs. Also, the\r\nsource of the file in this case is an unsecure site, which would not have been the case for an authentic app that is\r\npublished either in their website that redirects to an authentic app store. \r\nSafety Recommendations: \r\n1. Keep your antivirus software updated to detect and prevent malware infections. \r\n2. Keep your system and applications updated. \r\n3. Use strong passwords and enable two-factor authentication during logins. \r\n4. Verify the privileges and permissions requested by the app before granting access. \r\n5. People concerned about the exposure of their stolen credentials in the dark web can register at AmiBreached.com to\r\nascertain their exposure. \r\nMITRE ATT\u0026CK® Techniques- for Mobile \r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 9 of 10\n\nTactic  Technique ID  Technique Name \r\nDefense Evasion  T1418 T1406  1. Application Discovery 2. Obfuscated Files or Information  \r\nCredential\r\naccess \r\nT1412  1. Capture SMSes  \r\nDiscovery \r\nT1421 \r\nT1430 T1418 T1426 T1424 \r\n1.\r\nSystem Network Connections Discovery 2. Location Tracking \r\nApplication Discovery 4.\r\nSystem Information Discovery 5. Process Discovery \r\nCollection \r\nT1432 \r\nT1433 T1430 T1429 T1507 T1412  \r\n1. Access Contact List 2. Access Call Log 3.\r\nLocation Tracking 4. Capture Audio 5.\r\nNetwork Information Discovery 6. Capture SMSes  \r\nCommand and\r\nControl \r\nT1573 T1071 T1571 \r\n1. Encrypted Channel 2. Application Layer Protocol 3. Non-Standard Port \r\nImpact  T1447  1.Delete Device Data \r\nIndicators of Compromise (IoCs): \r\nIoC   IOC Type  \r\n34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb  SHA256   \r\nandroid.accessibilityservice.AccessibilityService  Intent by Action \r\nhxxp://darkweb.bitcoingen.store//o1o/a16[.]php  Interesting URL \r\nhxxp://darkweb.bitcoingen[.]store/  Interesting URL \r\n172.217.15[.]106  IP address \r\n64.233.165[.]95  IP address \r\n173.194.222[.]95  IP address \r\ndata/data/wocwvy.czyxoxmbauu.slsa/shared_prefs/set.xml  File path dropped \r\nAbout Cyble: \r\nCyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure\r\nin the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital\r\nrisk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one\r\nof the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices\r\nin Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.   \r\nSource: https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nhttps://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/"
	],
	"report_names": [
		"mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434048,
	"ts_updated_at": 1775791833,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e60d778b85e5233e092f4a958da1679c243539c9.pdf",
		"text": "https://archive.orkl.eu/e60d778b85e5233e092f4a958da1679c243539c9.txt",
		"img": "https://archive.orkl.eu/e60d778b85e5233e092f4a958da1679c243539c9.jpg"
	}
}