Anubis Mobile Malware Strikes Again As Fake Antivirus
Published: 2021-05-02 · Archived: 2026-04-05 12:55:56 UTC
Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus
Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake
Antivirus
Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus 
Anubis is an Android banking Trojan created and advertised by a threat actor with the nickname “maza-in”. This malware
family has been conducting well-known overlay attacks by combining advanced features such as the capability to stream
screens, record sounds, browse files remotely, keylogging abilities, and the capability to function as a network proxy. These
features make it an effective banking malware and a potential tool for spying. 
Generally, this malware operates by tricking unsuspecting victims into submitting confidential and sensitive information
such as online banking credentials, banking security codes, and Credit Card details. Being a banking Trojan does not mean
that the Anubis malware variant will masquerade as a banking app; in most cases, it is disguised as a third-party app. Some
of the disguises used by Anubis are fake mobile games, software updates, post/mail apps, flash-player apps, utility apps,
fake browsers and even social-network and communication apps. 
World's Best AI-Native Threat Intelligence
The list of malware features of Anubis is shown below: 
Overlaying: Static (hardcoded in bot) 
Overlaying: Dynamic (C2 based) 
Keylogging 
Contact list collection 
Screen streaming 
Sound recording 
SMS harvesting: SMS forwarding 
SMS blocking 
SMS sending 
Files/pictures collection 
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 1 of 10

Calls: USSD request making 
Ransomware: Cryptolocker 
Remote actions: Data-wiping 
Remote actions: Back-connect proxy 
Notifications: Push notifications 
C2 Resilience: Twitter/Telegram C2 update channels 
Some of the common delivery techniques that are used by Anubis malware are: 
Google Play campaigns:  
This includes Bypassing Google Play security mechanisms and spreading the Trojan using the official app store. 
Spam campaigns: 
This uses SMS or emails with a request to install or update some legitimate application that links to the malware. 
Web redirection: 
Using advertisement on websites, hacked sites, traffic exchanges lures the victim to a fake landing page containing
a malware app. 
In a recent tweet, a security engineer shared information about a fake antivirus android app camouflaged as a well-known
antivirus and available from an unsecured web source. When users access the unsecure link available from the search engine
for download, it navigates them to an Index page with the file content named as “Avast Antivirus ULTIMATE
2021.apk”, and on selecting it, users can download the APK file.  
On scanning the downloaded file through VirusTotal, it turned out to be a variant of the Banking Trojan Anubis detected by
multiple antivirus signatures, as shown in Figure 1. 
Figure 1 VirusTotal Detections of the App 
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 2 of 10

For further analysis, Cyble’s SaaS threat intelligence platform Cyble Vision was used to fetch more information on the
application using the digest from the VirusTotal result.  
Figure 2 Information available in the Cyble Threat Intelligence Platform 
Technical Analysis: 
 
Digest used for our analysis: 34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb 
 
Package Name: wocwvy.czyxoxmbauu.slsa 
Main Activity: wocwvy.czyxoxmbauu.slsa.ncec.myvbo 
Upon performing static analysis on the above app, the malware was found to be more like the Cerberus Banking Trojan
malware, which also steals victim data to access their bank accounts. The permissions used by this malware are listed below
in the Fig. 3 
 
Figure 3 Permissions requested by the app 
After opening the application, it requests users to enable the accessibility service from the settings to enable full access to
the app. After that, it lures victims into changing the Accessibility settings on their phones, forbidding them to uninstall the
app. Also, through this service, the app executes screen taps and other commands without the user’s knowledge. 
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 3 of 10

Figure 4 Accessibility service needs to be enabled for the app 
Some of the suspicious permissions, receivers, and services used in the application that may perform malicious activities are
listed below: 
Permissions 
android.permission.SYSTEM_ALERT_WINDOW 
android.permission.GET_TASKS 
android.permission.RECEIVE_SMS 
android.permission.INTERNET 
android.permission.READ_SMS 
android.permission.PACKAGE_USAGE_STATS 
Services: 
wocwvy.czyxoxmbauu.slsa.lmimy 
wocwvy.czyxoxmbauu.slsa.wfveenegvz 
wocwvy.czyxoxmbauu.slsa.frvvkgp 
wocwvy.czyxoxmbauu.slsa.ukhakhcgifofl 
wocwvy.czyxoxmbauu.slsa.jtfxlnc 
wocwvy.czyxoxmbauu.slsa.blkzyyyfc 
wocwvy.czyxoxmbauu.slsa.whemsbk 
wocwvy.czyxoxmbauu.slsa.nepgaqmyfrhw 
wocwvy.czyxoxmbauu.slsa.clgqtzqdh 
wocwvy.czyxoxmbauu.slsa.usbvhkriufnc 
wocwvy.czyxoxmbauu.slsa.egxltnv 
wocwvy.czyxoxmbauu.slsa.kldqwysgkfcrmq 
wocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.jkeggfql 
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 4 of 10

wocwvy.czyxoxmbauu.slsa.oyqwzkyy.qvhy.nvsdtnxkzjgw 
wocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.brtltydqhiuqbb 
wocwvy.czyxoxmbauu.slsa.xelytgswelv 
wocwvy.czyxoxmbauu.slsa.mvqkjokaxfrpf 
wocwvy.czyxoxmbauu.slsa.wahiuolww 
wocwvy.czyxoxmbauu.slsa.oyqwzkyy.hzgktdtr.cpysnikhf 
wocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.wifu 
wocwvy.czyxoxmbauu.slsa.oyqwzkyy.dxivifswvkcvwz.dshd 
wocwvy.czyxoxmbauu.slsa.kuv.sfswwunyakpjr 
wocwvy.czyxoxmbauu.slsa.ttiegryczsx 
wocwvy.czyxoxmbauu.slsa.blyvffs 
Receivers: 
wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.cmtstflxlxb 
wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.qpgopfninoaazln 
wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hypihteeavv 
wocwvy.czyxoxmbauu.slsa.pworotsvjdlioho.hwfe 
Intent Filters by Action: 
android.intent.action.RESPOND_VIA_MESSAGE 
android.accessibilityservice.AccessibilityService 
android.intent.action.MAIN 
android.intent.action.SEND 
android.intent.action.SENDTO 
android.provider.Telephony.WAP_PUSH_DELIVER 
android.provider.Telephony.SMS_DELIVER 
android.intent.action.PACKAGE_ADDED 
android.intent.action.PACKAGE_REMOVED 
android.provider.Telephony.SMS_RECEIVED 
android.net.conn.CONNECTIVITY_CHANGE 
android.net.wifi.WIFI_STATE_CHANGED 
Using the above permissions granted by users, the following activities are performed in the users’ devices: 
1. The app tries to get the accessibility permission for UI automation 
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 5 of 10

Figure 5 Starts Activity based on Accessibility permission 
2. The malware makes the device ignore battery Optimization 
Figure 6 Checks for package and ignores Battery Optimization 
3. It will disable the administrator user access through the device policy manager 
Figure 7 Removing Active Admin User 
4. The malware runs a query to get the list of currently running apps along with the most recent running apps 
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 6 of 10

Figure 8 Stores the list of recent running apps 
5. The malware protects itself from being removed or uninstalled and stays hidden from the application launcher 
Figure 9 Hides from the application launcher through package manager 
6. Monitors incoming text messages and creates data through PDU 
Figure 10 Gets Inflow of text messages 
7. Gets phone contact information from the victim’s device 
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 7 of 10

Figure 11 Queries the Phone contacts 
All the data collected from the devices are then sent to the C2 link, which seems to be encrypted in this app, and the
encryption technique used is AES along with the key, as shown below in the Fig. 12.lo 
Figure 12 Encryption Technique used 
Following are the ways in which the above encryption techniques are used in multiple classes and methods, as shown in Fig.
13. 
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 8 of 10

Figure 13 Uses of the Encryption Technique 
On decrypting the above string and on performing the Dynamic analysis on the same, we found that the collected data is sent
to the well-known C2 link of the Anubis variant. 
 C2 link: hxxp://darkweb[.]bitcoingen[.]store//o1o/a16[.]php 
Under normal circumstances, before downloading, users can identify whether an APK is authentic or fake based on
the following criteria:  
 
1. Source of the file (Secure/Not secure) is a good indicator of whether the app is genuine or fake. For
instance, before downloading an application from an unkown source such as a web URL, it is important to check if
the source is secure. 
2. Size of the app. For example, the size of a fake app is less when compared with an authentic one. 
3. Spelling errors or Icon mismatches can also help distinguish fake apps from genuine ones. 
By these parameters, the APK downloaded from the provided URL was identified as a fake app. In addition, the size of
the downloaded app is around 500 KB, while commonly, any antivirus APK size would be around a few MBs. Also, the
source of the file in this case is an unsecure site, which would not have been the case for an authentic app that is
published either in their website that redirects to an authentic app store. 
Safety Recommendations: 
1. Keep your antivirus software updated to detect and prevent malware infections. 
2. Keep your system and applications updated. 
3. Use strong passwords and enable two-factor authentication during logins. 
4. Verify the privileges and permissions requested by the app before granting access. 
5. People concerned about the exposure of their stolen credentials in the dark web can register at AmiBreached.com to
ascertain their exposure. 
MITRE ATT&CK® Techniques- for Mobile 
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 9 of 10

Tactic  Technique ID  Technique Name 
Defense Evasion  T1418 T1406  1. Application Discovery 2. Obfuscated Files or Information  
Credential
access 
T1412  1. Capture SMSes  
Discovery 
T1421 
T1430 T1418 T1426 T1424 
1.
System Network Connections Discovery 2. Location Tracking 
Application Discovery 4.
System Information Discovery 5. Process Discovery 
Collection 
T1432 
T1433 T1430 T1429 T1507 T1412  
1. Access Contact List 2. Access Call Log 3.
Location Tracking 4. Capture Audio 5.
Network Information Discovery 6. Capture SMSes  
Command and
Control 
T1573 T1071 T1571 
1. Encrypted Channel 2. Application Layer Protocol 3. Non-Standard Port 
Impact  T1447  1.Delete Device Data 
Indicators of Compromise (IoCs): 
IoC   IOC Type  
34bec3b2747ed7531993c73f04968c56e79f05f3b26b91cad256c9bbd5cf1beb  SHA256   
android.accessibilityservice.AccessibilityService  Intent by Action 
hxxp://darkweb.bitcoingen.store//o1o/a16[.]php  Interesting URL 
hxxp://darkweb.bitcoingen[.]store/  Interesting URL 
172.217.15[.]106  IP address 
64.233.165[.]95  IP address 
173.194.222[.]95  IP address 
data/data/wocwvy.czyxoxmbauu.slsa/shared_prefs/set.xml  File path dropped 
About Cyble: 
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure
in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital
risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one
of the top 20 Best Cybersecurity Startups to Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices
in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.   
Source: https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
https://cyble.com/blog/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/
Page 10 of 10