Lookout Finds New Anubis Campaign Targeting Hundreds of Financial Applications

TL; DR:

Researchers at the Lookout Threat Labs have discovered a novel distribution of the Anubis Android banking malware masquerading as the official account management application from leading French telecommunications company, Orange S.A.. Lookout is actively working with Orange to ensure its customers are protected.

Leveraging a variation of the infamous banking trojan, the attackers are targeting customers of nearly 400 financial institutions, cryptocurrency wallets and virtual payment platforms. As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain. This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection and abuse of the device’s accessibility services.

The icon for the malicious ‘Orange Service’ app appears identical to the legitimate ‘Orange et Moi France’ icon, with the exception of its resolution.

This latest Anubis distribution, which had a package name of "fr.orange.serviceapp," was submitted to the Google Play store in late July 2021 and subsequently unapproved. Lookout researchers were able to take a glimpse into this campaign as some of its infrastructure was still a work-in-progress: 

  • We believe with high certainty that this was an attempt to test Google’s antivirus capabilities. 
  • We found that obfuscation efforts were only partially implemented within the app and that there were additional developments still occurring with its command-and-control (C2) server. 
  • We expect more heavily obfuscated distributions will be submitted in the future.

Who are the threat actors and how is Anubis used?

Anubis is primarily a banking trojan. Thus, its default functionality is to monitor a set number of “target apps” that are of high value for the purposes of acquiring personal data or login credentials for financial gain. Targeted apps are hardcoded by package name into the client source.

The malware sample and its associated infrastructure revealed very little about the actor behind this Anubis distribution. Neither the signing information associated with the APK nor the certificate data is associated with any other app. Any WHOIS records associated with the domain have redacted registrant details. The domain name itself, purchased through NameCheap, resolves to two servers — both of which are shared by over two thousand other domains that appear to have no connection to this actor.

The evolution of Anubis

Anubis has gone through significant evolution since its inception. In 2016, a user named “maza-in” on the Russian-language hacking forum Exploit[.]in shared open-source code for a novel Android banking trojan with instructions on how to implement its client and server-side components.

Hacker forum post from Maza-In for malware targeting Google's Android OS
A screenshot of the original advertisement for Anubis from 2016 by user maza-in, as shared by Forbes magazine.

“maza-in” reappeared a year later with the publishing of a promotional YouTube video for a tool that enables users to bundle an updated Anubis II into a fake mobile app. 

In 2018, researchers at Netherlands-based security company ThreatFabric reported that “maza-in” announced the release of Anubis 2.5, a more sophisticated iteration of the original malware. The developer apparently attempted to rent Anubis out privately for a cost, but the source code was leaked shortly after. This new version of the banking trojan became the foundation of the open-sourced version of Anubis that continues to be iterated upon and distributed by other actors.

Class names in fr.orange.serviceapp, left, have been modified from the original Anubis 2.5 distribution.

How Anubis is distributed

Anubis is currently available online for free. Packages include the server-side administration panel and an unobfuscated APK file with logging messages and comments written in Russian. It’s also cited in numerous “Black Hat hacking” tutorials on both dark and surface web forums. 

Lookout researchers uncovered and analyzed dozens of forum posts where users were looking to purchase, rent or obtain source code for Anubis. Many of these users don’t seem to be very technical based on their constant requests for guidance in implementing the server-side code and building the Android APK that contains the Anubis client. In response to these requests, more experienced black-hat hackers have begun offering the Anubis source bundled with set-up and customization assistance for a fee.

A subset of hundreds of Anubis-related forum posts on the hacking forum ‘HackForums[.]net’

A breakdown of this Anubis campaign

This latest distribution of Anubis boasts an extensive set of capabilities that includes exfiltrating sensitive data from the victim’s Android device back to the C2 and performing overlay attacks. It also has the ability to terminate malicious functionalities and remove the malware from the device when needed.

Capabilities:

  • Recording screen activity and sound from the microphone 
  • Implementing a SOCKS5 proxy for covert communication and package delivery
  • Capturing screenshots
  • Sending mass SMS messages from the device to specified recipients
  • Retrieving contacts stored on the device
  • Sending, reading, deleting and blocking notifications for SMS messages received by the device
  • Scanning the device for files of interest to exfiltrate
  • Locking the device screen and displaying a persistent ransom note
  • Submitting USSD code requests to query bank balances
  • Capturing GPS data and pedometer statistics
  • Implementing a keylogger to steal credentials
  • Monitoring active apps to mimic and perform overlay attacks
  • Stopping malicious functionality and removing the malware from the device

How Anubis initiates attacks

As a trojanized malware, users assume that the app they have downloaded is legitimate. Pretending to be “Orange Service,” the malware begins its attack by asking for accessibility services. Once the user presses “OK,” the app hides its icon and initiates covert communications with its C2, sending details about the device such as a list of installed apps. It then exploits the accessibility services to interact with the device’s screen to grant itself additional extensive permissions. This process occurs so quickly that most users probably wouldn’t see the device selecting ‘agree’ to the permission request prompts.

The malware requests access to accessibility services.

Once the malware has established a successful network connection and communications with its C2, the server downloads an additional app to the device that is responsible for initiating the SOCKS5 proxy. This proxy allows the attacker to enforce authentication for clients communicating with their server and mask communications between the client and C2. Once retrieved and decrypted, the APK is saved as “FR.apk'' in "/data/data/fr.orange.serviceapp/app_apk."

The client stores its received payload under app data on the victim device.
The class responsible for initiating the SOCKS5 proxy is loaded by the client.

Disabling Google Play Protect

Next, Anubis detects whether the device has Google Play Protect enabled. If so, the malware tricks the user into disabling the service with a fake system window alert, claiming that it interferes with the functionality of the device system. 

A system alert window prompt generated by Anubis asking the user to disable Google Play Protect.

After gaining full access to the device, Anubis pings the C2 at steady intervals with device data to maintain a connection and receive commands to perform. This is common practice for malware that takes cues from a C2 because it can alert the actor to any changes to the state of the device that might interfere with their end goal. It also lets the actor know if the malware has been removed, which may prompt the actor to target that victim again.  

Targeted Apps

Default implementations of Anubis advertise 235 targeted apps. However, the list of apps targeted by "fr.orange.serviceapp" was expanded to include 394 unique apps, ranging from banking apps to reloadable card applications and cryptocurrency wallets. The targeted apps are hard-coded in the Anubis source code by package name. The malware executes its attack chain when one of the targeted apps is launched.

A request is passed to the C2 containing the target app and country code. In response, the C2 returns a custom phishing page to be used in the overlay attack.

When one of these apps is launched, Anubis sends two parameters via HTTPS to its C2: a keyword associated with the app and an IMEI country code. In response, the C2 returns a rendered PHP file containing HTML markup and copy for a custom phishing page. The Anubis client uses this response to craft an overlay screen which it injects on top of the launched app in an attempt to trick the user into giving up their credentials.

The rendered phishing pages are presented to the victim when they click the Google Play Store app launcher.

The C2 infrastructure: a fake crypto trading site

The Anubis client within the "fr.orange.serviceapp" app connects to a C2 server at the domain https://quickbitrade[.]com. The actor uses Cloudflare to redirect all network traffic through SSL. The C2 masquerades as a cryptocurrency trading website that is still under development. 

The C2 server masquerades as a cryptocurrency exchange website.

Connecting the C2 server to the threat actor

The C2 infrastructure for this Anubis distribution is only partially secured. Although the communications between the client and server are conducted over SSL, no further security measures were implemented, enabling us to to intercept communications between the Anubis client and the C2. 

Within the web server itself, only some directory listings have been disabled. While directory listings related to the administrator panel were concealed, we were able to find php scripts nearly identical to those in the leaked Anubis server-side source. 

Only certain directory listings on the C2 have remained open.

The default Anubis administrator panel includes a monitoring and control panel for access by the attacker. Unlike the C2 endpoints, these panels were properly secured by the actor behind the "fr.orange.serviceapp app." With a campaign still in development, we suspect the attackers prioritized securing this part of the C2 server because the admin panel would contain information such as device identifiers for infected devices, all resources required for injecting the phishing pages as part of the overlay functionality and other data that could reveal the actor’s identity.  

Anubis will persist

As a readily available commodity banking malware, Anubis will continue to be iterated on, which means it’s a threat that isn’t going anywhere. The actor behind this campaign also appears to still be developing the C2 infrastructure in such a way that they intend to release future versions of the malware. 

While it’s primarily used as a banking trojan, its credential-stealing capabilities put any login information at risk. This could include employee logins that get swiped when the user tries to access cloud-based apps like Google Drive or Microsoft Office 365 from their mobile devices. 

How to protect against Anubis

Lookout customers are protected against Anubis and its distributions both at an app and domain levels. But whether you are a Lookout customer or not, there are two key best practices to follow to secure against malware like Anubis: 

  1. Never accept any permissions that ask you to turn off default security protections like Google Play Protect.
  2. Never download an app from an untrusted source. Apps from third-party stores that are downloaded directly from a web browser don’t go through the same security checks as apps in the iOS App and Google Play stores. 

As illustrated by this Anubis campaign, the financial industry is one of the most highly targeted industries. To learn more about the threat landscape the industry faces, read our Financial Services Threat Report.

Lookout delivers endpoint-to-cloud Security