1. Home
  2. Software
  3. Anubis

Anubis

Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.[1]

ID: S0422
Type: MALWARE
Platforms: Android
Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.3
Created: 08 April 2020
Last Modified: 25 September 2024
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1453 Abuse Accessibility Features

After accessibility service is granted, Anubis lures the victim into changing the Accessibility settings on the device, disabling application removal, and executes screen taps and other commands without the victim’s knowledge.[2]

Mobile T1532 Archive Collected Data

Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1]
Mobile T1429 Audio Capture

Anubis can record phone calls and audio.[1]
Mobile T1616 Call Control

Anubis can make phone calls.[1]
Mobile T1471 Data Encrypted for Impact

Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1]
Mobile T1533 Data from Local System

Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.[1][3]

Mobile T1407 Download New Code at Runtime

Anubis can download attacker-specified APK files.[3]
Mobile T1629 .001 Impair Defenses: Prevent Application Removal

Anubis may prevent malware's uninstallation by abusing Android’s performGlobalAction(int) API call.
.003 Impair Defenses: Disable or Modify Tools

Anubis can modify administrator settings and disable Play Protect.[1]
Mobile T1417 .001 Input Capture: Keylogging

Anubis has a keylogger that works in every application installed on the device.[1]
.002 Input Capture: GUI Input Capture

Anubis can create overlays to capture user credentials for targeted applications.[1]
Mobile T1430 Location Tracking

Anubis can retrieve the device’s GPS location.[1]
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

Anubis has requested accessibility service privileges while masquerading as "Google Play Protect" and has disguised additional malicious application installs as legitimate system updates.[1][3]
Mobile T1424 Process Discovery

Anubis can collect a list of running processes.[4]
Mobile T1636 .003 Protected User Data: Contact List

Anubis can steal the device’s contact list.[1]

Mobile T1513 Screen Capture

Anubis can take screenshots.[1]
Mobile T1582 SMS Control

Anubis can send, receive, and delete SMS messages.[1]
Mobile T1418 Software Discovery

Anubis can collect a list of installed applications to compare to a list of targeted applications.[1]
Mobile T1426 System Information Discovery

Anubis can collect the device’s ID.[1]
Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

Anubis has used motion sensor data to attempt to determine if it is running in an emulator.[3]
Mobile T1481 .001 Web Service: Dead Drop Resolver

Anubis can retrieve the C2 address from Twitter and Telegram.[1][3]

References

  1. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.
  2. Cyble. (2021, May 2). Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus. Retrieved April 24, 2025.
  1. K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.
  2. zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021.