By: Tony Bao (Mobile Threats Analyst)
The 2018 mobile threat landscape had banking trojans that diversified their tactics and techniques to evade detection and further monetize their malware — and in the case of the Anubis Android malware, retooled for other malicious activities. Anubis underwent several changes since it first emerged, from being used for cyberespionage to being retooled as a banking malware, combining information theft and ransomware-like routines. In mid-January of 2019, we saw Anubis use a plethora of techniques, including the use of motion-based sensors to elude sandbox analysis and overlays to steal personally identifiable information.
The latest samples of Anubis (detected by Trend Micro as AndroidOS_AnubisDropper) we recently came across are no different. While tracking Anubis’ activities, we saw two related servers containing 17,490 samples.
Figure 1. Anubis’ infection chain
Uncovering 17,490 Anubis Samples We used the following samples (SHA-256) to analyze Anubis and further track this threat’s activities:
30b0b3b0d4733f3b94517ab4e407214e82abf6aad3adf918717ff842e28d672f
451194f0d9b902b6763762023ca02f6539fc72276347b8a8aed3a901bece4892
These Anubis variants request the following URLs and parse an XML file to download a malicious app:
hxxp://markuezdnbrs[.]online/deneme/api[.]php?xml=8c6c029e-153b-41e1-a061-2699a45b69f9
hxxp://successiondar[.]xyz/continuing/resigned[.]php?xml=7e393286-925c-41f4-ac81-b7e2625473d0
The malicious Android applicat ..
Support the originator by clicking the read the rest link below.
