Anubis
Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1432 | Access Contact List | ||
| Mobile | T1418 | Application Discovery |
Anubis can collect a list of installed applications to compare to a list of targeted applications.[1] |
|
| Mobile | T1429 | Capture Audio |
Anubis can record phone calls and audio, and can make phone calls.[1] |
|
| Mobile | T1412 | Capture SMS Messages | ||
| Mobile | T1532 | Data Encrypted |
Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1] |
|
| Mobile | T1471 | Data Encrypted for Impact |
Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1] |
|
| Mobile | T1533 | Data from Local System |
Anubis can exfiltrate files encrypted with the ransomware module from the device.[1] |
|
| Mobile | T1476 | Deliver Malicious App via Other Means | ||
| Mobile | T1417 | Input Capture |
Anubis has a keylogger that works in every application installed on the device.[1] |
|
| Mobile | T1411 | Input Prompt |
Anubis can create overlays to capture user credentials for targeted applications.[1] |
|
| Mobile | T1478 | Install Insecure or Malicious Configuration |
Anubis can modify administrator settings and disable Play Protect.[1] |
|
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1444 | Masquerade as Legitimate Application |
Anubis requests accessibility service privileges while masquerading as "Google Play Protect".[1] |
|
| Mobile | T1513 | Screen Capture | ||
| Mobile | T1426 | System Information Discovery | ||
| Mobile | T1481 | Web Service | ||