Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.[1]

ID: S0422
Platforms: Android
Contributors: Aviran Hazum, Check Point; Sergey Persikov, Check Point
Version: 1.3
Created: 08 April 2020
Last Modified: 20 September 2021

Techniques Used

Domain ID Name Use
Mobile T1532 Archive Collected Data

Anubis exfiltrates data encrypted (with RC4) by its ransomware module.[1]

Mobile T1429 Audio Capture

Anubis can record phone calls and audio.[1]

Mobile T1616 Call Control

Anubis can make phone calls.[1]

Mobile T1471 Data Encrypted for Impact

Anubis can use its ransomware module to encrypt device data and hold it for ransom.[1]

Mobile T1533 Data from Local System

Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.[1][2]

Mobile T1407 Download New Code at Runtime

Anubis can download attacker-specified APK files.[2]

Mobile T1629 .001 Impair Defenses: Prevent Application Removal

Anubis may prevent malware's uninstallation by abusing Android’s performGlobalAction(int) API call.

.003 Impair Defenses: Disable or Modify Tools

Anubis can modify administrator settings and disable Play Protect.[1]

Mobile T1417 .001 Input Capture: Keylogging

Anubis has a keylogger that works in every application installed on the device.[1]

.002 Input Capture: GUI Input Capture

Anubis can create overlays to capture user credentials for targeted applications.[1]

Mobile T1430 Location Tracking

Anubis can retrieve the device’s GPS location.[1]

Mobile T1655 .001 Masquerading: Match Legitimate Name or Location

Anubis has requested accessibility service privileges while masquerading as "Google Play Protect" and has disguised additional malicious application installs as legitimate system updates.[1][2]

Mobile T1424 Process Discovery

Anubis can collect a list of running processes.[3]

Mobile T1636 .003 Protected User Data: Contact List

Anubis can steal the device’s contact list.[1]

Mobile T1513 Screen Capture

Anubis can take screenshots.[1]

Mobile T1582 SMS Control

Anubis can send, receive, and delete SMS messages.[1]

Mobile T1418 Software Discovery

Anubis can collect a list of installed applications to compare to a list of targeted applications.[1]

Mobile T1426 System Information Discovery

Anubis can collect the device’s ID.[1]

Mobile T1633 .001 Virtualization/Sandbox Evasion: System Checks

Anubis has used motion sensor data to attempt to determine if it is running in an emulator.[2]

Mobile T1481 .001 Web Service: Dead Drop Resolver

Anubis can retrieve the C2 address from Twitter and Telegram.[1][2]