Finger touching Android phone showing new features of Anubis banking malware

The Most Potent Banking Malware Receives Updates Allowing Hackers More Control Over Infected Devices

Anubis, one of the most potent banking malware, has received additional features that will give hackers more control over infected devices. The additional features allow cybercriminals to operate silently without triggering the users’ awareness of their suspicious activity. The new updated features will give hackers the ability to inspect devices and wait for the opportune time to strike. For example, one added feature allows hackers to detect when the user is looking at the phone hence preventing them from performing any nefarious activities openly. Security researchers have discovered over 17,000 new Anubis samples targeting over 377 banking applications spread in 93 countries, including the United States, Europe, and India.

Operation of Anubis banking malware

Anubis banking trojan targets smartphones running the Android Operating System. The malware infects users’ mobile devices by tricking them to download Anubis apps disguised as other popular applications, such as a game. Most infection occurs when Android users download dodgy apps from third-party stores where security is lax. The banking malware developers have recently persisted efforts to sneak malicious apps into the Google Play Store but with limited success. Researchers discovered two apps, Currency Converter and BatterySaverMobo, used to spread Anubis. The threat actors also lure users into downloading the infected apps through phishing campaigns after stealing contact information from infected devices.

Once the user downloads the Android banking trojan, the app monitors the device status to find the optimal time to execute attacks. The app can hijack two-factor authentication codes and hide the OTP SMS messages from the device user. Another feature allows the banking malware to detect whether the device is in motion by tapping into the motion sensor. When a device appears to be motionless for a long time, the banking malware operators conclude that the smartphone is running in a sandbox and used by researchers. They, therefore, abstain from executing attacks on the infected device.

Analysis of Anubis source code reveals that the banking malware tampers with administrative settings to view running tasks as well as create a backdoor through Virtual Network Computing (VNC). In addition to stealing banking credentials, these permissions also allow the app to record audio, gain access to the contact list for spamming, send SMS messages, and make phone calls. The banking malware app also contains a ransomware component, called AnubisCrypt, able to encrypt files on both internal and SD storage. It can also receive commands from social media apps such as Twitter, which is the most common method of sending commands through shortened links. These commands are used to send data to command and control C2 servers located worldwide, allowing the criminals to launch commands from a wide range of locations.

TJ Short, VP Security Operations at Cerberus Sentinel, says the trojan employs ingenious methods to trick users.

“The coolest feature, though, is that once you connect to your bank, complete your MFA and finish your bank business, it will activate. So when you are finished with the transaction, it will keep the tunnel open that has already passed the MFA requirements pop up a fake ‘transaction has ended jpeg’ for you to see. At that point, it will contact the C2 server and act as a proxy gateway allowing the attacker to access your financial information.”

Newer features coming to Anubis banking trojan

The Anubis banking malware operators are working on features that will give the attackers more insights into the infected devices.

One recent addition to the banking malware web-based control panel is the eyeball icon. This functionality allows hackers to know when the device user is looking at the screen. On detecting user activity, the hackers can avoid performing malicious activity on the smartphone while under the prying eyes of the smartphone owner.

The threat actors are also working on integrating Yandex maps into the banking malware to decipher the location of the infected phone. However, this new addition is just a convenience feature because the banking malware operators can detect the location of the infected device by using other means such as the mobile network connected the device is connected to.

Newer banking trojan apps

Of course, Anubis is not the only exciting new banking malware. Researchers at Cybereason Nocturnus recently discovered a new banking trojan app that can steal banking and financial information targeted at Android users in March 2020. The new trojan, known as EventBot, targets over 200 apps such as PayPal Business, banking apps belonging to financial institutions such as Revolut and Barclays, and other financial apps such as TransferWise and CoinBase among others. The banking trojan targets users in the United States and European countries such as the UK, Germany, France, Spain, Switzerland, and Italy. Like Anubis, EventBot is currently distributed through third-party rogue app stores and malicious URLs.

Once downloaded, EventBot amasses a carte blanche of permissions, including starting at bootup and maintaining a persistent background process allowing the app to monitor the smartphone continuously. The trojan also prevents the phone from sleeping and ignores battery optimization settings. EventBot also obtains control of Android’s accessibility services to run a keylogger, receive notifications as well as retrieve the content of open windows. Although still in the development stage, the app may be a more significant threat to mobile banking compared to Anubis.

Cybercriminals have discovered a lucrative target in the Android mobile banking and shopping industry. Despite Google’s effort to keep malicious apps out of the Play Store, threat actors can still distribute the apps through third-party stores. Maybe this is the moment Google should reconsider allowing app installation through untrusted sources.