Published on April 9th, 2019 📆 | 8277 Views ⚑0
Anubis Android Trojan Spotted with Almost Functional Ransomware Module
An Android application which steals PayPal credentials, encrypts files from the device's external storage, and locks the screen using a black screen was spotted in the Google Play Store by ESET malware researcher Lukas Stefanko.
Behind the app's malicious behavior is an Anubis Android banking Trojan malware payload, a well-known Trojan designed to steal banking credentials, provide its masters with a RAT backdoor, and send SMS spam among other things.
Once the Anubis banking Trojan is dropped by a malware downloader on a victim's compromised device, it starts collecting banking info either with the help of an inbuilt keylogger module or by taking screenshots when the user inserts credentials into apps, unlike other banking Trojans known to use overlay screens for the same task.
Anubis samples with ransomware features are not new, with Sophos previously discovering Anubis infected apps in the Play Store during August 2018 with the capability to encrypt files using an .Anubiscrypt file extension —the same extension the malware found by Stefanko used to encrypt his documents.
"The built-in ransomware component encrypts user files and gives them .Anubiscrypt file extension. Remember, this runs on a phone, which is even less likely to be backed up than a laptop or desktop, and more likely to have personal photos or other valuable data," said Sophos.
What makes Stefanko's finding special is the fact that it comes with a device lock feature which tries to lock it, albeit as the researcher told BleepingComputer he was able to circumvent it: "I could bypass it, and it doesn't request ransom - maybe a bad implementation."
This shows that, while Anubis' masters are still actively adding new features to their malware, developing and adding some of them might take them some time given that since the ransomware module was first reported by Sophos until today's sighting they barely managed to include a half-baked screen lock capability which can be bypassed.
Crypto-Banking Ransomware found on Google Play
— Lukas Stefanko (@LukasStefanko) April 8, 2019
According to some reports, the infected app found by Stefanko is a copy of another Android application, while as detailed by mobile security researcher Nikolaos Chrysaidos, the Anubis banking Trojan is also currently being pushed using multiple other apps still available in the Play Store.
Even though the infected app found by Stefanko in Google's Play Store Android app market doesn't have that many installs—currently the store reports "0+" but comes with 90 ratings, with an average of 4 stars—left to its own devices it will most likely amass enough downloads and installs to be able to steal and encrypt the data of thousands of Android users.
This becomes quite evident after taking a look at some of the researcher's previous reports on Anubis contaminated sightings in the Play Store, ranging from 100+ to 5000+ installs.
As further reported by mobile malware researcher Ahmet Bilal Can yesterday, Anubis is quite present in the official Android app store, with countless samples being spotted between July 2018 and March 2019 as shown in the screenshots below.
As recently discovered by Trend Micro's researchers in January, Anubis Trojan was used in a large scale malware campaign targeting 377 bank applications from 93 countries all over the globe, with banks like Santander, RBS, Natwest, and Citibank, as well as non-banking apps such as Amazon, eBay, and PayPal being in their list of targets.
Previously, researchers from IBM X-Force linked the malicious downloaders used by bad actors to distribute the Anubis Trojan also used as droppers for the Exobot malware unearthed by Threatfabric while analyzing an Exobot campaign last year.
All these apps infected with Anubis downloaders being distributed via the Google Play store show that the actors behind them have enough skill to successfully hide the droppers they come with from Google Play’s malware defenses.
Update April 08 18:59 EDT: According to a Google spokesperson, the app is no longer available in the Play Store.