Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.[1]

ID: S0422
Platforms: Android
Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.1
Created: 08 April 2020
Last Modified: 11 September 2020

Techniques Used

Domain ID Name Use
Mobile T1432 Access Contact List

Anubis can steal the device’s contact list.[1]

Mobile T1418 Application Discovery

Anubis can collect a list of installed applications to compare to a list of targeted applications.[1]

Mobile T1429 Capture Audio

Anubis can record phone calls and audio, and can make phone calls.[1]

Mobile T1532 Data Encrypted

Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1]

Mobile T1471 Data Encrypted for Impact

Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1]

Mobile T1533 Data from Local System

Anubis can exfiltrate files encrypted with the ransomware module from the device.[1]

Mobile T1476 Deliver Malicious App via Other Means

Anubis was distributed via phishing link in an email.[1]

Mobile T1417 Input Capture

Anubis has a keylogger that works in every application installed on the device.[1]

Mobile T1411 Input Prompt

Anubis can create overlays to capture user credentials for targeted applications.[1]

Mobile T1478 Install Insecure or Malicious Configuration

Anubis can modify administrator settings and disable Play Protect.[1]

Mobile T1430 Location Tracking

Anubis can retrieve the device’s GPS location.[1]

Mobile T1444 Masquerade as Legitimate Application

Anubis requests accessibility service privileges while masquerading as "Google Play Protect".[1]

Mobile T1513 Screen Capture

Anubis can take screenshots.[1]

Mobile T1582 SMS Control

Anubis can send, receive, and delete SMS messages.[1]

Mobile T1426 System Information Discovery

Anubis can collect the device’s ID.[1]

Mobile T1481 Web Service

Anubis can retrieve the C2 address from Twitter.[1]