Anubis Android Malware Threat Intel Advisory

CloudSEK threat intelligence advisory on Anubis Android banking trojan that lures its victims through malicious applications.
Updated on
April 19, 2023
Published on
January 21, 2021
Subscribe to the latest industry news, threats and resources.
Malware Intelligence
Android Banking Trojan
Target System
Affected Industry
Affected Regions
Turkey, Italy, US, India, France, Germany, Australia, and Poland

Executive Summary

CloudSEK Threat Intelligence researchers have picked up a dark web chatter regarding an Android banking trojan known as Anubis. Anubis is a MaaS (Malware as a Service) malware type, that anyone can use and distribute. Anubis, which is primarily a banking trojan, recently spread via a COVID-19 map application that lured victims to download the malicious application. The client and server source code for this malware are publicly available, which is used by threat actors to retool the malware, add features or edit the source code, to create a new functionality for Anubis that will serve their malicious intents. The malware is still actively modified by attackers on dark forums for better efficiency.


Technical Impact
  • Encrypt the victim’s data, and delete files
  • Establish VNC session between the victim and the attacker
  • Forward Calls and SMS to the attacker’s server
Business Impact
  • Expose the privacy of the victim
  • Steal banking credentials


  • Keep pace with the latest security updates
  • Use latest version operating systems
  • Install application only from authorized app stores

Technical Analysis


This malware spreads in two different ways:
  • Drive-by download, where the malicious apk is downloaded directly into the victim’s device through malicious websites.
  • Through Google Play store where it appears as legitimate applications, which after installation, installs the malicious payload at the second stage.
Once the app is installed it asks for accessibility permissions to run in the background and receive calls from the system. It also hides the application’s icon from the launcher, making it difficult for a regular user to remove it.


  • Exfiltrating data after encryption
  • Receive C2 commands
  • Keylogging
  • Encrypting data with the extension .AnubisCrypt, activating a ransomware
  • Start a VNC session, in which the attacker can only see the screen of the victim and not control it.
  • Intercept calls and SMSs and forward them to the attacker’s server.
  • Establish overlay attack if any banking application exists on the victim’s device, to steal credentials. The overlay attack is carried out by loading Webview above the legitimate application, where the malicious applications are launched instead of the genuine application.
  • Prevent the victim from uninstalling the malicious applications by listening to accessibility events.

Tactics, Techniques and Procedures

Initial Access
T1475 Deliver Malicious App via Authorized App Store
T1456 Drive-by Compromise
T1444 Masquerade as Legitimate Application
T1402 Broadcast Receivers
T1401 Abuse Device Administrator Access to Prevent Removal
Defense Evasion
T1418 Application Discovery
T1447 Delete Device Data
T1407 Download New Code at Runtime
T1444 Masquerade as Legitimate Application
T1508 Suppress Application Icon
Credential Access
T1412 Capture SMS Messages
T1418 Application Discovery
T1420 File and Directory Discovery
T1412 Capture SMS Messages
Command and Control
T1521 Standard Cryptographic Protocol
T1481 Web Service
T1532 Data Encrypted
T1471 Data Encrypted for Impact
T1447 Delete Device Data
T1582 SMS Control

List of Commands Received from the C2 Server

opendir stopsocks5 downloadfile
deletefilefolder recordsound startscreenVNC
stopscreenVNC startapplication startsound
startforegroundsound getkeylogger stopsound
startinj startforward Send_GO_SMS
nymBePsG0 openbrowser GetSWSGO
telbookgotext cryptokey getapps
getpermissions spam startaccessibility
startpermission replaceurl ALERT
PUSH killBot startAutoPush
RequestPermissionInj startrat RequestPermissionGPS
ussd stopforward sockshost
openactivity getIP decryptokey

Indicators of Compromise


Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations