Botnet Watch: Anubis Mobile Malware Gets New FeaturesPowerful Platform Can Spot If Victim Is Looking at the Screen
Anubis is one of the most potent Android botnets. Its features give its controllers virtually carte blanche access to infected devices, with victims unaware of the amount of personal and financial data it can steal from a phone.
It’s a modular platform where fraudsters can pick the type of financial service they want to attack and run an “inject” that aims to steal the login credentials, according to the security firms Coinbase, Santander Bank, PayPal and many others.
If the credentials are captured, fraudsters can also capture two-step verification codes by harvesting one sent over SMS to the device, then hiding the message from the device’s owner.
“Anubis is huge,” says Alex Holden, founder and chief information security officer of Hold Security, a cybersecurity consultancy. Holden’s company specializes in getting access to cybercriminal forums to spot new trends.
Anubis has been a thorn in the side of Google, which has fought to keep bogus apps containing its code out of the Play Store. One way to infect phones is by tricking people into download a game, for example, which is actually Anubis. Malicious actors constantly try to sneak malware into the Play Store.
Other victims become infected by downloading dodgy Android apps from third-party stores, which may not have great security controls, or by getting tricked by phishing emails.
Now, it appears that Anubis will soon get new features aimed at helping fraudsters more closely monitor infected devices.
The feature refresh is in a version of Anubis under development and doesn’t appear to have been released yet, Holden says.
Hold Security's analysts have had an inside look at Anubis's control panel, a web-based panel for exploring hacked devices. From there, fraudsters can pick and choose which device they want to steal data from and what services they want to target.
The control panel under development includes new features that provide even more granular insight for an attacker into how a phone is being used, Holden says.
One new addition on the control panel is a small icon of an eyeball. The malware takes advantage of a feature on some phones that recognizes whether someone is looking at the device, such as to ensure the screen stays on. It’s a way for hackers to know not to begin meddling with a device when someone is looking at it.
Anubis has long had a feature to monitor whether a device is in motion. In January 2019, Trend Micro noted that Anubis’ malware tapped into the motion sensor. If a device never moves, it may be a sign that the Android instance is running in a sandbox and being analyzed by security researchers. If the device doesn’t appear to move, the malware code won’t run, Trend Micro wrote.
Also under development is integrating Yandex maps, which will show the location of infected devices. Holden says that although the mobile network a device connects to is usually a good indicator of where the phone is located, “I’m surprised they are thinking about it.”
Waiting for Payday
It’s unclear who has taken up the mantle of adding new features to Anubis. The malware has been around since late 2017, according to ThreatFabric. It’s believed to have been developed by highly skilled Android malware developer going by the name Maza-In.
Maza-In was responsible for BankBot, another powerful Android botnet. In June 2017, someone using the nickname Maza-In claimed in an interview with Forbes that was trying to help Google improve its Android defenses.
But early 2019 saw changes. The backend code and unobfuscated APK for Anubis was released on Jan. 16, 2019, according to ThreatFabric’s blog post. A month later, there were reports that the support channels for Anubis were no longer responding. Around March 2019, rumors circulated on a Russian-language IT forum that Maza-In had been arrested by Russian authorities.
Has maza-in been arrested? https://t.co/KscZOi3fxa— Elliot Alderson (@fs0c131y) March 25, 2019
But Anubis still seemed to plug along. ThreatFabric wrote that as of March 2019, certain customers appear to have access to it and that its operations weren’t entirely disrupted.
“Although it is hard to say why Maza-In vanished, the fact that some code has been leaked, combined with recent observations of unobfuscated Anubis samples in the wild, suggests that the malware might be used by other actors and thus remain active,” the company wrote.
The Anubis control panel has a space where fraudsters can leave comments about devices that they have been probing.
A look at a recent screenshot of the control panel showed one device located in Spain running Android 9 that had been targeted with an inject for Samsung Pay. The inject had captured the login and password for the person, along with a payment card number.
The comment section noted that the account had only 67 euros in it, and that the fraudsters were holding back.
“We are waiting for payday,” the comment, in Russian, reads.