SOFTWARE
Aria-body
SOFTWARE
1-9
A-B
C-D
E-F
G-H
I-J
K-L
M-N
O-P
Q-R
S-T
U-V
W-X
Y-Z
  1. Home
  2. Software
  3. Anubis

Anubis

Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.[1]

ID: S0422
Type: MALWARE
Platforms: Android
Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.2
Created: 08 April 2020
Last Modified: 20 January 2021
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

Anubis can steal the device’s contact list.[1]

Mobile T1418 Application Discovery

Anubis can collect a list of installed applications to compare to a list of targeted applications.[1]
Mobile T1429 Capture Audio

Anubis can record phone calls and audio, and can make phone calls.[1]
Mobile T1532 Data Encrypted

Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1]
Mobile T1471 Data Encrypted for Impact

Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1]
Mobile T1533 Data from Local System

Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.[1][2]

Mobile T1475 Deliver Malicious App via Authorized App Store

Anubis has been delivered via the Google Play Store.[2]
Mobile T1476 Deliver Malicious App via Other Means

Anubis was distributed via phishing link in an email.[1]
Mobile T1407 Download New Code at Runtime

Anubis can download attacker-specified APK files.[2]
Mobile T1523 Evade Analysis Environment

Anubis has used motion sensor data to attempt to determine if it is running in an emulator.[2]
Mobile T1417 Input Capture

Anubis has a keylogger that works in every application installed on the device.[1]
Mobile T1411 Input Prompt

Anubis can create overlays to capture user credentials for targeted applications.[1]
Mobile T1478 Install Insecure or Malicious Configuration

Anubis can modify administrator settings and disable Play Protect.[1]
Mobile T1430 Location Tracking

Anubis can retrieve the device’s GPS location.[1]
Mobile T1444 Masquerade as Legitimate Application

Anubis has requested accessibility service privileges while masquerading as "Google Play Protect" and has disguised additional malicious application installs as legitimate system updates.[1][2]
Mobile T1424 Process Discovery

Anubis can collect a list of running processes.[3]
Mobile T1513 Screen Capture

Anubis can take screenshots.[1]
Mobile T1582 SMS Control

Anubis can send, receive, and delete SMS messages.[1]
Mobile T1426 System Information Discovery

Anubis can collect the device’s ID.[1]
Mobile T1481 Web Service

Anubis can retrieve the C2 address from Twitter and Telegram.[1][2]

References

  1. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  2. K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.
  1. zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021.