Account Takeover Fraud , Cybercrime , Endpoint Security

Botnet Watch: Anubis Mobile Malware Gets New Features

Powerful Platform Can Spot If Victim Is Looking at the Screen
Botnet Watch: Anubis Mobile Malware Gets New Features
A screenshot of the web-based control panel for Anubis, a mobile device botnet

Anubis is one of the most potent Android botnets. Its features give its controllers virtually carte blanche access to infected devices, with victims unaware of the amount of personal and financial data it can steal from a phone.

See Also: Live Webinar | App Defined, Autonomous and Delivered from the Cloud

It's a modular platform where fraudsters can pick the type of financial service they want to attack and run an "inject" that aims to steal the login credentials, according to the security firms Coinbase, Santander Bank, PayPal and many others.

If the credentials are captured, fraudsters can also capture two-step verification codes by harvesting one sent over SMS to the device, then hiding the message from the device's owner.

"Anubis is huge," says Alex Holden, founder and chief information security officer of Hold Security, a cybersecurity consultancy. Holden's company specializes in getting access to cybercriminal forums to spot new trends.

Fresh Features

Anubis has been a thorn in the side of Google, which has fought to keep bogus apps containing its code out of the Play Store. One way to infect phones is by tricking people into download a game, for example, which is actually Anubis. Malicious actors constantly try to sneak malware into the Play Store.

Other victims become infected by downloading dodgy Android apps from third-party stores, which may not have great security controls, or by getting tricked by phishing emails.

Now, it appears that Anubis will soon get new features aimed at helping fraudsters more closely monitor infected devices.

The feature refresh is in a version of Anubis under development and doesn't appear to have been released yet, Holden says.

Hold Security's analysts have had an inside look at Anubis's control panel, a web-based panel for exploring hacked devices. From there, fraudsters can pick and choose which device they want to steal data from and what services they want to target.

The control panel under development includes new features that provide even more granular insight for an attacker into how a phone is being used, Holden says.

One new addition on the control panel is a small icon of an eyeball. The malware takes advantage of a feature on some phones that recognizes whether someone is looking at the device, such as to ensure the screen stays on. It's a way for hackers to know not to begin meddling with a device when someone is looking at it.

Anubis has long had a feature to monitor whether a device is in motion. In January 2019, Trend Micro noted that Anubis' malware tapped into the motion sensor. If a device never moves, it may be a sign that the Android instance is running in a sandbox and being analyzed by security researchers. If the device doesn't appear to move, the malware code won't run, Trend Micro wrote.

Also under development is integrating Yandex maps, which will show the location of infected devices. Holden says that although the mobile network a device connects to is usually a good indicator of where the phone is located, "I'm surprised they are thinking about it."

Waiting for Payday

It's unclear who has taken up the mantle of adding new features to Anubis. The malware has been around since late 2017, according to ThreatFabric. It's believed to have been developed by highly skilled Android malware developer going by the name Maza-In.

Maza-In was responsible for BankBot, another powerful Android botnet. In June 2017, someone using the nickname Maza-In claimed in an interview with Forbes that was trying to help Google improve its Android defenses.

But early 2019 saw changes. The backend code and unobfuscated APK for Anubis was released on Jan. 16, 2019, according to ThreatFabric's blog post. A month later, there were reports that the support channels for Anubis were no longer responding. Around March 2019, rumors circulated on a Russian-language IT forum that Maza-In had been arrested by Russian authorities.

But Anubis still seemed to plug along. ThreatFabric wrote that as of March 2019, certain customers appear to have access to it and that its operations weren't entirely disrupted.

"Although it is hard to say why Maza-In vanished, the fact that some code has been leaked, combined with recent observations of unobfuscated Anubis samples in the wild, suggests that the malware might be used by other actors and thus remain active," the company wrote.

The Anubis control panel has a space where fraudsters can leave comments about devices that they have been probing.

A look at a recent screenshot of the control panel showed one device located in Spain running Android 9 that had been targeted with an inject for Samsung Pay. The inject had captured the login and password for the person, along with a payment card number.

Anubis' control panel shows a comment for an infected device that says the victim's compromised Samsung Pay account doesn't have much money in it.

The comment section noted that the account had only 67 euros in it, and that the fraudsters were holding back.

"We are waiting for payday," the comment, in Russian, reads.


About the Author

Jeremy Kirk

Jeremy Kirk

Managing Editor, Security and Technology, ISMG

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.