In 2021, researchers at Lookout discovered a novel distribution of the Anubis Android banking malware masquerading as the official account management application from leading French telecommunications company, Orange S.A. Lookout actively worked with Orange to ensure its customers were protected.
Leveraging a variation of the infamous banking trojan, the attackers are targeting customers of nearly 400 financial institutions, cryptocurrency wallets and virtual payment platforms. As a banking trojan malware, Anubis’ goal is to collect significant data about the victim from their mobile device for financial gain. This is done by intercepting SMSs, keylogging, file exfiltration, screen monitoring, GPS data collection, and abuse of the device’s accessibility services.
This Anubis distribution, which had a package name of "fr.orange.serviceapp," was submitted to the Google Play store in late July 2021 and subsequently unapproved. Lookout researchers were able to take a glimpse into this campaign as some of its infrastructure was still a work-in-progress:
Anubis is primarily a banking trojan. Thus, its default functionality is to monitor a set number of “target apps” that are of high value for the purposes of acquiring personal data or login credentials for financial gain. Targeted apps are hardcoded by package name into the client source.
The malware sample and its associated infrastructure revealed very little about the actor behind this Anubis distribution. Neither the signing information associated with the APK nor the certificate data is associated with any other app. Any WHOIS records associated with the domain have redacted registrant details. The domain name itself, purchased through NameCheap, resolves to two servers — both of which are shared by over two thousand other domains that appear to have no connection to this actor.
Anubis has gone through significant evolution since its inception. In 2016, a user named “maza-in” on the Russian-language hacking forum Exploit[.]in shared open-source code for a novel Android banking trojan with instructions on how to implement its client and server-side components.
“maza-in” reappeared a year later with the publishing of a promotional YouTube video for a tool that enables users to bundle an updated Anubis II into a fake mobile app.
In 2018, researchers at Netherlands-based security company ThreatFabric reported that “maza-in” announced the release of Anubis 2.5, a more sophisticated iteration of the original malware. The developer apparently attempted to rent Anubis out privately for a cost, but the source code was leaked shortly after. This new version of the banking trojan became the foundation of the open-sourced version of Anubis that continues to be iterated upon and distributed by other actors.
Anubis is currently available online for free. Packages include the server-side administration panel and an unobfuscated APK file with logging messages and comments written in Russian. It’s also cited in numerous “Black Hat hacking” tutorials on both dark and surface web forums.
Lookout researchers uncovered and analyzed dozens of forum posts where users were looking to purchase, rent or obtain source code for Anubis. Many of these users don’t seem to be very technical based on their constant requests for guidance in implementing the server-side code and building the Android APK that contains the Anubis client. In response to these requests, more experienced black-hat hackers have begun offering the Anubis source bundled with set-up and customization assistance for a fee.
This latest distribution of Anubis boasts an extensive set of capabilities that includes exfiltrating sensitive data from the victim’s Android device back to the C2 and performing overlay attacks. It also has the ability to terminate malicious functionalities and remove the malware from the device when needed.
As a trojanized malware, users assume that the app they have downloaded is legitimate. Pretending to be “Orange Service,” the malware begins its attack by asking for accessibility services. Once the user presses “OK,” the app hides its icon and initiates covert communications with its C2, sending details about the device such as a list of installed apps. It then exploits the accessibility services to interact with the device’s screen to grant itself additional extensive permissions. This process occurs so quickly that most users probably wouldn’t see the device selecting ‘agree’ to the permission request prompts.
Once the malware has established a successful network connection and communications with its C2, the server downloads an additional app to the device that is responsible for initiating the SOCKS5 proxy. This proxy allows the attacker to enforce authentication for clients communicating with their server and mask communications between the client and C2. Once retrieved and decrypted, the APK is saved as “FR.apk'' in "/data/data/fr.orange.serviceapp/app_apk."
Next, Anubis detects whether the device has Google Play Protect enabled. If so, the malware tricks the user into disabling the service with a fake system window alert, claiming that it interferes with the functionality of the device system.
After gaining full access to the device, Anubis pings the C2 at steady intervals with device data to maintain a connection and receive commands to perform. This is common practice for malware that takes cues from a C2 because it can alert the actor to any changes to the state of the device that might interfere with their end goal. It also lets the actor know if the malware has been removed, which may prompt the actor to target that victim again.
Default implementations of Anubis advertise 235 targeted apps. However, the list of apps targeted by "fr.orange.serviceapp" was expanded to include 394 unique apps, ranging from banking apps to reloadable card applications and cryptocurrency wallets. The targeted apps are hard-coded in the Anubis source code by package name. The malware executes its attack chain when one of the targeted apps is launched.
When one of these apps is launched, Anubis sends two parameters via HTTPS to its C2: a keyword associated with the app and an IMEI country code. In response, the C2 returns a rendered PHP file containing HTML markup and copy for a custom phishing page. The Anubis client uses this response to craft an overlay screen which it injects on top of the launched app in an attempt to trick the user into giving up their credentials.
The Anubis client within the "fr.orange.serviceapp" app connects to a C2 server at the domain https://quickbitrade[.]com. The actor uses Cloudflare to redirect all network traffic through SSL. The C2 masquerades as a cryptocurrency trading website that is still under development.
The C2 infrastructure for this Anubis distribution is only partially secured. Although the communications between the client and server are conducted over SSL, no further security measures were implemented, enabling us to to intercept communications between the Anubis client and the C2.
Within the web server itself, only some directory listings have been disabled. While directory listings related to the administrator panel were concealed, we were able to find php scripts nearly identical to those in the leaked Anubis server-side source.
The default Anubis administrator panel includes a monitoring and control panel for access by the attacker. Unlike the C2 endpoints, these panels were properly secured by the actor behind the "fr.orange.serviceapp app." With a campaign still in development, we suspect the attackers prioritized securing this part of the C2 server because the admin panel would contain information such as device identifiers for infected devices, all resources required for injecting the phishing pages as part of the overlay functionality and other data that could reveal the actor’s identity.
As a readily available commodity banking malware, Anubis will continue to be iterated on, which means it’s a threat that isn’t going anywhere. The actor behind this campaign also appears to still be developing the C2 infrastructure in such a way that they intend to release future versions of the malware.
While it’s primarily used as a banking trojan, its credential-stealing capabilities put any login information at risk. This could include employee logins that get swiped when the user tries to access cloud-based apps like Google Drive or Microsoft Office 365 from their mobile devices.
Lookout customers are protected against Anubis and its distributions both at an app and domain levels. But whether you are a Lookout customer or not, there are two key best practices to follow to secure against malware like Anubis:
As illustrated by this Anubis campaign, the financial industry is one of the most highly targeted industries. To learn more about the threat landscape the industry faces, read our Financial Services Threat Report.
September 19, 2023
Google released a patch for a new zero-day vulnerability in Chrome tracked as CVE-2023-4863, which CISA also listed in their database.
September 18, 2023
September 20, 2023