1. Home
  2. Software
  3. Anubis

Anubis

Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.[1]

ID: S0422
Type: MALWARE
Platforms: Android
Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.3
Created: 08 April 2020
Last Modified: 20 September 2021
Version Permalink
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1532 Archive Collected Data

Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1]
Mobile T1429 Audio Capture

Anubis can record phone calls and audio.[1]
Mobile T1616 Call Control

Anubis can make phone calls.[1]
Mobile T1471 Data Encrypted for Impact

Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1]
Mobile T1533 Data from Local System

Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.[1][2]

Mobile T1407 Download New Code at Runtime

Anubis can download attacker-specified APK files.[2]
Mobile T1629 .001 Impair Defenses: Prevent Application Removal

Anubis may prevent malware's uninstallation by abusing Android’s performGlobalAction(int) API call.
.003 Impair Defenses: Disable or Modify Tools

Anubis can modify administrator settings and disable Play Protect.[1]
Mobile T1417 .001 Input Capture: Keylogging

Anubis has a keylogger that works in every application installed on the device.[1]
.002 Input Capture: GUI Input Capture

Anubis can create overlays to capture user credentials for targeted applications.[1]
Mobile T1430 Location Tracking

Anubis can retrieve the device’s GPS location.[1]
Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

Anubis has requested accessibility service privileges while masquerading as "Google Play Protect" and has disguised additional malicious application installs as legitimate system updates.[1][2]
Mobile T1424 Process Discovery

Anubis can collect a list of running processes.[3]
Mobile T1636 .003 Protected User Data: Contact List

Anubis can steal the device’s contact list.[1]

Mobile T1513 Screen Capture

Anubis can take screenshots.[1]
Mobile T1582 SMS Control

Anubis can send, receive, and delete SMS messages.[1]
Mobile T1418 Software Discovery

Anubis can collect a list of installed applications to compare to a list of targeted applications.[1]
Mobile T1426 System Information Discovery

Anubis can collect the device’s ID.[1]
Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

Anubis has used motion sensor data to attempt to determine if it is running in an emulator.[2]
Mobile T1481 .001 Web Service: Dead Drop Resolver

Anubis can retrieve the C2 address from Twitter and Telegram.[1][2]

References

  1. M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020.
  2. K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.
  1. zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021.