SYMBOLCOMMON_NAMEaka. SYNONYMS
apk.anubis (Back to overview)

Anubis

aka: BankBot, android.bankbot, android.bankspy

BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.

In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:

Recording screen activity and sound from the microphone
Implementing a SOCKS5 proxy for covert communication and package delivery
Capturing screenshots
Sending mass SMS messages from the device to specified recipients
Retrieving contacts stored on the device
Sending, reading, deleting, and blocking notifications for SMS messages received by the device
Scanning the device for files of interest to exfiltrate
Locking the device screen and displaying a persistent ransom note
Submitting USSD code requests to query bank balances
Capturing GPS data and pedometer statistics
Implementing a keylogger to steal credentials
Monitoring active apps to mimic and perform overlay attacks
Stopping malicious functionality and removing the malware from the device

References
2022-07-11Security AffairsPierluigi Paganini
@online{paganini:20220711:anubis:f2a0277, author = {Pierluigi Paganini}, title = {{Anubis Networks is back with new C2 server}}, date = {2022-07-11}, organization = {Security Affairs}, url = {https://securityaffairs.co/wordpress/133115/hacking/anubis-networks-new-c2.html}, language = {English}, urldate = {2022-07-12} } Anubis Networks is back with new C2 server
Anubis
2022-05-29muha2xmadMuhammad Hasan Ali
@online{ali:20220529:full:cf742e7, author = {Muhammad Hasan Ali}, title = {{Full Anubis android malware analysis}}, date = {2022-05-29}, organization = {muha2xmad}, url = {https://muha2xmad.github.io/malware-analysis/anubis/}, language = {English}, urldate = {2022-05-29} } Full Anubis android malware analysis
Anubis
2022-03VirusTotalVirusTotal
@techreport{virustotal:202203:virustotals:c6af9c1, author = {VirusTotal}, title = {{VirusTotal's 2021 Malware Trends Report}}, date = {2022-03}, institution = {VirusTotal}, url = {https://assets.virustotal.com/reports/2021trends.pdf}, language = {English}, urldate = {2022-04-13} } VirusTotal's 2021 Malware Trends Report
Anubis AsyncRAT BlackMatter Cobalt Strike DanaBot Dridex Khonsari MimiKatz Mirai Nanocore RAT Orcus RAT
2021-08-270x1c3n.tech0x1c3N
@online{0x1c3n:20210827:anubis:1705302, author = {0x1c3N}, title = {{Anubis Android Malware Analysis}}, date = {2021-08-27}, organization = {0x1c3n.tech}, url = {https://0x1c3n.tech/anubis-android-malware-analysis}, language = {English}, urldate = {2021-09-02} } Anubis Android Malware Analysis
Anubis
2021-04-28ThreatFabricThreatFabric
@online{threatfabric:20210428:rage:2ee0e0b, author = {ThreatFabric}, title = {{The Rage of Android Banking Trojans}}, date = {2021-04-28}, organization = {ThreatFabric}, url = {https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html}, language = {English}, urldate = {2021-05-04} } The Rage of Android Banking Trojans
Anubis Gustuff Medusa
2021-02-24RiskIQJordan Herman
@online{herman:20210224:turkey:2d3f340, author = {Jordan Herman}, title = {{Turkey Dog: Cerberus and Anubis Banking Trojans Target Turkish Speakers}}, date = {2021-02-24}, organization = {RiskIQ}, url = {https://community.riskiq.com/article/85b3db8c}, language = {English}, urldate = {2021-02-25} } Turkey Dog: Cerberus and Anubis Banking Trojans Target Turkish Speakers
Anubis Cerberus
2020-12-10Intel 471Intel 471
@online{471:20201210:no:9fd2ae1, author = {Intel 471}, title = {{No pandas, just people: The current state of China’s cybercrime underground}}, date = {2020-12-10}, organization = {Intel 471}, url = {https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/}, language = {English}, urldate = {2020-12-10} } No pandas, just people: The current state of China’s cybercrime underground
Anubis SpyNote AsyncRAT Cobalt Strike Ghost RAT NjRAT
2020-11-21Medium Intel-HoneyTwitter (@intel_honey)
@online{intelhoney:20201121:reversing:e62deae, author = {Twitter (@intel_honey)}, title = {{Reversing Anubis Malware}}, date = {2020-11-21}, organization = {Medium Intel-Honey}, url = {https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb}, language = {English}, urldate = {2020-11-23} } Reversing Anubis Malware
Anubis
2020-07-04N1ght-W0lf BlogAbdallah Elshinbary
@online{elshinbary:20200704:deep:bdfbd8a, author = {Abdallah Elshinbary}, title = {{Deep Analysis of Anubis Banking Malware}}, date = {2020-07-04}, organization = {N1ght-W0lf Blog}, url = {https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/}, language = {English}, urldate = {2020-07-06} } Deep Analysis of Anubis Banking Malware
Anubis
2020-05-09BushidoTokenBushidoToken
@online{bushidotoken:20200509:turkey:a764ff0, author = {BushidoToken}, title = {{Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns}}, date = {2020-05-09}, organization = {BushidoToken}, url = {https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html}, language = {English}, urldate = {2020-05-13} } Turkey targeted by Cerberus and Anubis Android banking Trojan campaigns
Anubis Cerberus
2020-04-23Youtube (Lukas Stefanko)Lukáš Štefanko
@online{tefanko:20200423:android:82225cd, author = {Lukáš Štefanko}, title = {{Android banking Trojan Anubis | Malware demo | infected device | covid19 | targets Italy}}, date = {2020-04-23}, organization = {Youtube (Lukas Stefanko)}, url = {https://www.youtube.com/watch?v=U0UsfO-0uJM}, language = {English}, urldate = {2020-04-26} } Android banking Trojan Anubis | Malware demo | infected device | covid19 | targets Italy
Anubis
2020-03-26BitdefenderLiviu Arsene
@online{arsene:20200326:android:946032b, author = {Liviu Arsene}, title = {{Android Apps and Malware Capitalize on Coronavirus}}, date = {2020-03-26}, organization = {Bitdefender}, url = {https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus}, language = {English}, urldate = {2020-03-26} } Android Apps and Malware Capitalize on Coronavirus
Anubis Joker
2020-02-25Kaspersky LabsVictor Chebyshev
@online{chebyshev:20200225:mobile:e40c963, author = {Victor Chebyshev}, title = {{Mobile malware evolution 2019}}, date = {2020-02-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/mobile-malware-evolution-2019/96280/}, language = {English}, urldate = {2020-02-26} } Mobile malware evolution 2019
Anubis Asacub Dvmap FlexNet HiddenAd Marcher Svpeng Triada
2020-02ThreatFabricThreatFabric
@online{threatfabric:202002:2020:b875962, author = {ThreatFabric}, title = {{2020 - Year of the RAT}}, date = {2020-02}, organization = {ThreatFabric}, url = {https://www.threatfabric.com/blogs/2020_year_of_the_rat.html}, language = {English}, urldate = {2020-02-27} } 2020 - Year of the RAT
Anubis Cerberus Ginp Gustuff Hydra
2019-04-07EybisiEybisi
@online{eybisi:20190407:mobile:c60bdb5, author = {Eybisi}, title = {{Mobile Malware Analysis : Tricks used in Anubis}}, date = {2019-04-07}, organization = {Eybisi}, url = {https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/}, language = {English}, urldate = {2020-01-08} } Mobile Malware Analysis : Tricks used in Anubis
Anubis
2019-03-13Pentest BlogAhmet Bilal Can
@online{can:20190313:n:bfbaff0, author = {Ahmet Bilal Can}, title = {{N Ways to Unpack Mobile Malware}}, date = {2019-03-13}, organization = {Pentest Blog}, url = {https://pentest.blog/n-ways-to-unpack-mobile-malware/}, language = {English}, urldate = {2020-01-09} } N Ways to Unpack Mobile Malware
Anubis
2019-01-17Trend MicroKevin Sun
@online{sun:20190117:google:cefba64, author = {Kevin Sun}, title = {{Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics}}, date = {2019-01-17}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/}, language = {English}, urldate = {2019-11-25} } Google Play Apps Drop Anubis Banking Malware, Use Motion-based Evasion Tactics
Anubis
2018-09-10Security BoulevardGary Warner
@online{warner:20180910:android:6d7f2ee, author = {Gary Warner}, title = {{Android Malware Intercepts SMS 2FA: We have the Logs}}, date = {2018-09-10}, organization = {Security Boulevard}, url = {https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/}, language = {English}, urldate = {2022-02-07} } Android Malware Intercepts SMS 2FA: We have the Logs
Anubis
2018-08-30Random REsysopfb
@online{sysopfb:20180830:manually:6a15ebc, author = {sysopfb}, title = {{Manually unpacking Anubis APK}}, date = {2018-08-30}, organization = {Random RE}, url = {https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html}, language = {English}, urldate = {2020-01-08} } Manually unpacking Anubis APK
Anubis
2018-03-13PhishLabsJoshua Shilko
@online{shilko:20180313:new:e7af165, author = {Joshua Shilko}, title = {{New Variant of BankBot Banking Trojan Ups Ante, Cashes Out on Android Users}}, date = {2018-03-13}, organization = {PhishLabs}, url = {https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis}, language = {English}, urldate = {2020-01-06} } New Variant of BankBot Banking Trojan Ups Ante, Cashes Out on Android Users
Anubis
2017-11-21ESET ResearchLukáš Štefanko
@online{tefanko:20171121:new:b1c9690, author = {Lukáš Štefanko}, title = {{New campaigns spread banking malware through Google Play}}, date = {2017-11-21}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/}, language = {English}, urldate = {2019-11-14} } New campaigns spread banking malware through Google Play
Anubis
2017-09-19FortinetDario Durando
@online{durando:20170919:look:79fa513, author = {Dario Durando}, title = {{A Look Into The New Strain Of BankBot}}, date = {2017-09-19}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html}, language = {English}, urldate = {2020-01-13} } A Look Into The New Strain Of BankBot
Anubis
2017-07-27Security IntelligenceLimor Kessem, Shachar Gritzman
@online{kessem:20170727:after:10c4ba5, author = {Limor Kessem and Shachar Gritzman}, title = {{After Big Takedown Efforts, 20 More BankBot Mobile Malware Apps Make It Into Google Play}}, date = {2017-07-27}, organization = {Security Intelligence}, url = {https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/}, language = {English}, urldate = {2019-12-06} } After Big Takedown Efforts, 20 More BankBot Mobile Malware Apps Make It Into Google Play
Anubis
2017-05-30Koodousentdark
@online{entdark:20170530:bankbot:4cb608c, author = {entdark}, title = {{Bankbot on Google Play}}, date = {2017-05-30}, organization = {Koodous}, url = {http://blog.koodous.com/2017/05/bankbot-on-google-play.html}, language = {English}, urldate = {2020-01-13} } Bankbot on Google Play
Anubis
2017-05-09Lukáš Štefanko
@online{tefanko:20170509:tracking:6c9fed0, author = {Lukáš Štefanko}, title = {{Tracking Android BankBot}}, date = {2017-05-09}, url = {http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html}, language = {English}, urldate = {2019-12-17} } Tracking Android BankBot
Anubis
2017-04-26FortinetDario Durando, David Maciejak
@online{durando:20170426:bankbot:f7430c7, author = {Dario Durando and David Maciejak}, title = {{BankBot, the Prequel}}, date = {2017-04-26}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html}, language = {English}, urldate = {2019-12-17} } BankBot, the Prequel
Anubis
2017-04-13KoodousKoodous Blog
@online{blog:20170413:decrypting:c59a1bd, author = {Koodous Blog}, title = {{Decrypting Bankbot communications.}}, date = {2017-04-13}, organization = {Koodous}, url = {http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html}, language = {English}, urldate = {2019-08-07} } Decrypting Bankbot communications.
Anubis

There is no Yara-Signature yet.