Full Report
Introduction
Analysis Summary
# Tool/Technique: Anubis Banking Malware
## Overview
Anubis is a sophisticated Android banking malware, first appearing around 2017, known for its extensive range of capabilities, including keylogging, SMS spam, file encryption (ransomware behavior), VNC screen viewing, and overlay attacks targeting financial applications.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android
- Capabilities: Keylogging, Sound Recording, SMS Spam, VNC (view-only), File Encryption/Ransomware, Call Interception, Overlay Phishing.
- First Seen: 2017
## MITRE ATT&CK Mapping
* T1483 - Exfiltration Over Alternative Protocol (Applicable for data exfiltration channels)
* T1056 - Input Capture
- T1056.001 - Keylogging
* T1486 - Data Encrypted for Impact
* T1003 - OS Credential Dumping (Implied through data harvesting)
* T1071 - Application Layer Protocol (For C2 communication)
* T1560 - Archive via Utility (Implied by file manipulation before exfiltration)
## Functionality
### Core Capabilities
* **Accessibility Services Abuse:** Exploits `AccessibilityEvents` to run in the background, monitor user activity, and prevent uninstallation by hijacking navigation away from settings/uninstall prompts.
* **Keylogging:** Records keystrokes when the `TYPE_VIEW_TEXT_CHANGED` accessibility event is fired, storing them in `keys.log`.
* **Overlay Attacks:** Loads a spoofed `WebView` on top of targeted banking applications to steal credentials.
* **Data Exfiltration:** Sends logs (keystrokes, running processes, device info) encrypted via RC4 and Base64 encoded POST requests to specific PHP endpoints on the C2 server.
* **SMS/Call Interception:** Intercepts and forwards phone calls and reads incoming SMS messages, sending SMS content to the C2 server in clear text.
### Advanced Features
* **Dynamic C2 Discovery:** Fetches new command and control server addresses from a specific Twitter account by parsing Chinese characters embedded within benign-looking tweets, decoding, and decrypting them (using a hardcoded RC4 key: "zanubis").
* **Remote Access (VNC):** Can initiate a VNC session using Android MediaProjection APIs (Android 5+), allowing the attacker to **view** the device screen, though not control it due to API restrictions.
* **Ransomware Functionality:** Encrypts files found in `/mnt`, `/mount`, `/sdcard`, and `/storage` using RC4 with a key provided by the C2, appending the `.AnubisCrypt` extension and deleting the originals.
* **RAT Commands:** Supports remote execution of commands such as file operations (`opendir`, `downloadfile`, `deletefilefolder`), starting/stopping VNC/sound recording, and managing bot functions (`killBot`).
## Indicators of Compromise
- File Hashes:
- SHA256: `8cb941658ed8340b67a38a47162ab8850b89a14eee2899f0761fadd4f648fd5e` (for sample `Pandemi-Destek.apk`)
- File Names:
- `Pandemi-Destek.apk` (Sample name for a COVID-19 themed distribution)
- `keys.log` (Internal file for storing keystrokes)
- Registry Keys: N/A (Android specific persistence mechanisms used instead)
- Network Indicators:
- Hardcoded C2/VNC server: `http://sosyalkampanya2[.]tk/dedebus/`
- Distribution URL: `http://sosyalkampanya2[.]ml/pandemi/Pandemi-Destek.apk`
- Behavioral Indicators:
- Requesting and utilizing Accessibility permissions.
- Hiding the application icon from the launcher.
- Monitoring for specific strings in foreground windows to block uninstallation (`com.android.settings`, "uninstall").
## Associated Threat Actors
* Maza-In (Actor rumored to be behind Anubis updates, despite rumors of arrest).
## Detection Methods
- Signature-based detection: Identifying the known APK hash.
- Behavioral detection: Monitoring requests for Accessibility permissions, attempts to hide the launcher icon, and unusual network connections to known C2 infrastructure or dynamic C2 discovery mechanisms (Twitter scraping).
- YARA rules: Can be developed based on hardcoded RC4 keys ("zanubis") or specific strings/endpoints found within the APK payload.
- Network Monitoring: Alerts on POST requests containing Base64/RC4 encrypted payloads directed towards unknown mobile endpoints.
## Mitigation Strategies
- **User Education:** Educate users about the risk of sideloading APKs from non-official sources, especially those disguised as COVID-19 support apps.
- **Principle of Least Privilege:** Restrict the installation of applications that do not require core functionality from accessing Accessibility Services.
- **Application Hardening:** Implement strong policies against overlay attacks, though this is more difficult on unrooted Android devices.
- **Network Filtering:** Block connections to known C2 domains, and monitor for communication patterns indicative of dynamic C2 discovery (e.g., scraping specific Twitter accounts).
## Related Tools/Techniques
* Other Android Banking Trojans utilizing Accessibility services (e.g., Cerberus, FluBot).
* Malware families using steganography or social media obfuscation for C2 updates.