Phishing Campaign Targets 250 Android Apps with Anubis Malware

New attacks discovered by Cofense can perform keylogging, steal data and completely hijack a mobile device.

A new phishing campaign is attempting to deliver sophisticated malware that can completely hijack an Android mobile device to steal user credentials, install a keylogger and even hold a device’s data for ransom.

The attacks are designed for mobile inboxes and leverage the Anubis malware, a sophisticated trojan used originally for cyber espionage and later repurposed as a banking trojan. Researchers at Cofense, who discovered the campaign, said the malware targets more than 250 Android apps with tailored login overlay screens used to capture credentials inputted into the apps.

Messages contain links to an Android Package Kit (APK) file that if downloaded and executed will launch a fake version of “Google Play Protect”. Next, the installation process attempts to trick the user into agreeing to run an unsigned Android app on the targeted device that would give adversaries complete control of the targeted handset.

The attack first involves a typical phishing email that asks users to download an invoice from an email that appears to come from a trusted contact, according to a blog published Thursday by Cofense researcher Marcel Feller.

“When the email link is opened from an Android device, an APK file (Fattura002873.apk), is downloaded,” Feller wrote. “Upon opening the file, the user is asked to enable ‘Google Play Protect’… However, this is not a genuine ‘Google Play Protect’ screen; instead it gives the app all the permissions it needs while simultaneously disabling the actual Google Play Protect.”

The malware name, Anubis, is a reference to the ancient Egyptian god of embalming and the dead, often depicted as half human and jackal.

The campaign mainly scans phones for banking and financial apps, but also checks for popular marketplace apps such as eBay or Amazon so it can steal relevant user financial data.

“Once an application has been identified, Anubis overlays the original application with a fake login page to capture the user’s credentials,” he wrote.

If installed, the malware’s capabilities include capturing screenshots, enabling or changing administration settings, opening and visiting any URL, recording audio and initiating phone calls.

“Anubis can completely hijack an Android mobile device, steal data, record phone calls, and even hold the device to ransom by encrypting the victim’s personal files,” Feller wrote.

Anubis samples have been identified in the wild being used as part of other campaigns after its actor allegedly was arrested and the source code to the malware leaked last year. In November, for instance, code from Anubis turned up in a new custom mobile banking malware for Android, dubbed Gnip.

The new campaign—which affects several iterations of the Android operating system, dating back to version 4.0.3—combines various nefarious functions in one package, including keylogging, credential-stealing and even a ransomware module that searches a device’s internal and external storage and encrypts them using RC4, Feller noted. Cofense does not indicate the complete range of Android operating system versions potentially impacted.

While the campaign primarily puts consumer mobile users in danger, it also threatens the enterprise and corporate environments due to the increasing use of BYOD policies, the researcher said. Those most at risk for the latest campaign are users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications.

The campaign also includes a keylogger, which works in every app installed on the targeted device. However, the keylogger is a post-infection feature and is enabled remotely via the attacker’s command-and-control server, Feller wrote.

To avoid being a victim of this latest phishing attack, Cofense recommends that users limit their installation of apps on corporate devices, using only apps created by trusted developers that they download from official marketplaces, he added.

Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.

Suggested articles