17,000 Samples of Anubis Mobile Malware

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Various vendor reports indicate an approximate 50% increase in mobile banking malware from 2018 to 2019. The financial sector experiences more phishing and man-in-the-middle (MitM) attacks via mobile devices than any other industry. Attackers are targeting user devices to access the sensitive financial data they contain. Research indicates that poor user security practice is the leading cause of mobile infections. Complicating security, many mobile devices connecting to the enterprise infrastructure (one report states 42%) have side-loaded applications installed from sites or databases outside of regulated application stores. Mobile malware developers are beginning to mold mobile malware in the way traditional malware works. Current mobile banking malware is capable of stealing payment data, credentials, and funds from victim bank accounts. Due to their success, mobile malware is generating substantial operating funds for developers. This allows them to further enhance their wares. Major malware families, such as Asacub and Anubis, are widely available to mobile malware builders on the dark web. This is resulting in the creation of countless new variants of mobile malware ready for mass distribution. Anubis is one of the most popular mobile malware available today. Anubis has integrated a wide array of techniques such as:

• Tapping into mobile devices’ motion-based sensors to elude sandbox analysis
• Displaying malicious overlays to steal PII
• Using malicious short links on social media accounts for C2 communications

Researchers have observed attacker-owned Twitter accounts using Google short links for C2 communications. Some of these accounts have been active for approximately 12 years. Researchers at Trend Micro recently uncovered over seventeen thousand samples of Anubis on two servers. The researchers assessed that within these samples, those with specific labels appear to have different routines from others. Some of the analyzed samples have targeted financial applications from which they are coded to steal personal and financial data. In total, researchers have estimated that Anubis targets 188 banking and finance-related applications in countries such as Poland, Australia, Turkey, Germany, France, Italy, Spain, U.S., and India. * Source: Trend Micro blog - Anubis Android Malware Returns with Over 17,000 Samples, July 8, 2019