A new version of Anubis banking malware was found on Google Play – it can steal PayPal credentials and lock personal files on Android devices
Lukas Stefanko, a security expert from ESET, found an application on Google Play that seems to be a new variant of a well-known banking trojan Anubis. This time, the malware came back with even more devastating capabilities: apart from luring users' PayPal credentials, it encrypts data on external storage, and also locks the screen, preventing victims from accessing their devices.
Anubis is one of the most prominent data-stealing threats in the wild, which was first spotted about a year ago. It was found incorporating features like motion-based evasion techniques, providing bad actors with RAT backdoor, SMS interception, keylogging capabilities and, finally, ransomware's file locking feature. It mostly affected Turkish-speaking users, as Anubis was disguised as a variety of financial or shopping applications (for example, Currency Converter), which functioned as downloaders.
It is not the first time Anubis' ransomware module was used – Sophos security researchers described the feature back in August 2018:
The built-in ransomware component encrypts user files and gives them
.Anubiscryptfile extension. Remember, this runs on a phone, which is even less likely to be backed up than a laptop or desktop, and more likely to have personal photos or other valuable data
Google tries to remove malicious apps that later download and install Anubis payload as soon as possible, although it sometimes takes thousands of downloads before the termination. The particular app that was discovered by Stefanko is already removed from Google Play.
The malicious payload is obtained after the downloader uses a specific function
Once one of the malicious applications is downloaded, it waits and does not perform any actions for a long time. After remaining silent, the app starts functioning as a downloader – it uses REQUEST_PACKAGE_INSTALL function, which is implemented upon the installation of the initial application. Security researcher Ahmet Bilal who analyzed Anubis malware samples, considers the feature to be particularly dangerous:
I think in the current state of Play Store this permission is dangerous than any other one. Because Play Protect can catch malware and rats if published on play store. Spread of malware generally comes from this permission. Users need to check if this permission is in permission list.
The downloader will then download Anubis payload, which will lure users into giving out their credentials, take screenshots of login screens, establish a connection with C&C server, lock files located on the device by adding .AnubisCrypt file extension and, finally, lock the screen, displaying only black screen to the user.
Anubis is a prominent threat that targets over 370 banking apps
The screen locking feature is significant because it shows that bad actors behind Anubis are actively experimenting with the malware and implementing new functions, as shows the ransomware module. Nevertheless, Lukas Stefanko said that the feature is not fully functional, as he could easily bypass the screen lock. Unfortunately, not many regular users would be able to do that.
For that reason, regular users should always make sure that their remote devices are protected with security software, as well as features like two-factor authentication. Anubis is known to be targeting as many 377 different banking applications globally, including NatWest, Citibank, Bank Austria, Santander, and others. Additionally, the malware also affects the most popular platforms like eBay, PayPal, and Amazon.
One might ask why does Google allow malicious apps on their official store? Well, it is not that simple as might seem. The number of uploaded apps on Google Play is astonishing and, while the industry giant has implemented defenses, it makes it difficult to detect all malicious apps. Furthermore, applications are configured so that they would delay their malicious activities, complicating the scanner's task to detect malware on time.