The Anubis banking Trojan is back in action, ready to elbow out the newer Cerberus from the limelight. Anubis has a starring role in phishing and social engineering campaigns where victims are persuaded to download a real, certified app – but from outside the usual Google Play Store.
Not only does the victim get the app, they get a clever bit of malware that is ready to steal data and credentials from nearly 200 real banking and financial mobil apps that might be on their device. In addition, the malware can also take screenshots, take over text messaging, open URLs, and disable Google Play Protect. What a bargain.
The Anubis strategy is to clone legit apps from Google Play, repackage the app along with their banking Trojan, and distribute it via third-party app markets. It’s a simple, but effective move: their novel packaging deal installs the original app and the Anubis banker on top of it.
Here below are three actual examples of the repackaged apps:
Figure 1: the legit applications found in Google Play
Trojan flying a false flag
The three original apps shown are found on Google Play and are not malicious! The malicious ones are simply modified versions of the original ones with the added malware. The third app shows how the malware authors have decided to use the current COVID-19 situation in their favor and distribute malware under the flag of a legit application.
The first sign of a difference comes when a user gets a warning when trying to install the modified apps, because they are not sourced from the Google Play market. If the user allows off-market installations, the app will continue to be loaded.
Figure 2: warning to not install apps from unknown sources
That new app is moving to take control
After installing the fake applications, they will ask for full control over the device and, in some cases, ask for permission to record audio and manage the text messages.
One interesting case is with the “Media Player” application. After it’s installed, the name of the app in the applications list will be “Video Player”, but the Anubis-patched variant is titled “Media Player”. In addition, the malicious one will ask for different, more dangerous permissions, on top of the usual “Full control of the device” permission.
Figure 3: the malicious “Media Player” app asks for dangerous permissions
Modular efficiency for Android malware
Besides the similar behavior, all the analyzed applications use the same naming convention for identifying the malicious android package. Just think of this as modular efficiency where the same malicious components can be reused and recycled between apps.
Figure 4: all the analyzed apps share a similarity in their manifest file and point to the malicious android package name
Practice safe shopping in the marketplace
Regardless of the name of the specific app, these are examples of one common infection vector where the malware authors trick users into installing seemingly legit applications that, beneath the nice package, contain malicious code.
Bad stuff and malicious apps do manage to get into the official Google Play Store. Most recently, Google deleted a bogus VPN app used by over 100 million people. Then there were those infected play apps for children also removed.
However, it is important to realize that the Play Store is patrolled and suspicious apps are regularly removed especially when security researchers point out issues.
To stay safe, practice these three social distancing recommendations when shopping for apps:
- Staying within the Play Store walled garden.
- Think about why a certain application requests permission (and don’t blindly grant permissions)
- Always have an AV product installed on your device.
Avira detects these fake apps as: ANDROID/Dropper.BAD.Gen
IOCs
| SHA-256 | Package name |
| 9af40bd913f4612a790c4fd2821b4e8a6ce7d15503484c35a5e8452e20845d8a
| com.doktorumapp |
| 612da67e5c5eb4288ec4c5ef60598d75bd156d25217f123de8d2e85ef215fa4d
| com.mefree.videoplayer |
| 7559dff487b11e7366f0a6f952dd808e376844609c9f5af6a1ebda09ffe30bb0
| cat.gencat.mobi.StopCovid19Cat |
