Full Anubis android malware analysis
As-salamu Alaykum
Introduction
Anubis is an android malware or bank trojan collects sensitive data from the victim’s mobile such as financial data using read/write SMS and keylogging. Anubis targets turkish speaker and spreads through malicious websites which download directly anubis malware or through google play which download the dropper then the dropper downloads the anubis malware. The sample from VT
Download the sample from github
Static analysis
We try to decompile the apk file using apktool command apktool d anubis.apk. Then we open the decoded AndroidManifest.xml file, we see many permissions which show the capability of the malware.
The malware has the capability of access location, read/write SMS, call phone, record autio, read contacts, and internet.
We get back to the apk file and unzip it. And convert the dalvik executable classes.dex file to java bytecode file using dex2jar command d2j-dex2jar classes.dex. Then open the classes.jar in jd-GUI to examine java code.
Uninstall the app
When trying to uninstall the program, it forces you going to home screen. Using Accessibility services run in background when AccessibilityEvent is fired then do something. In anubis, if malware app name, settings com.android.settings, or remove/uninstall then go back to home screen trigaring to_home_screen().
Capabilities
The malware lots of Capabilities as we see VNC, keylogging, spam SMS, request location, disable play protect, and more.
C2 server
By searching with http, we can find the C2 server hxxp://sosyalkampanya2.tk/dedebus/ which is used as VNC client.
The malware will try to get new C2 servers, which will be through twitter. It will query the twitter page which contains Chinese tweets and search for text from two tags 苏尔的开始 and 苏尔苏尔完 then loops to convert the Chinese chars with its related in English. Then the output will be in Base64 which will be decoded and the next output will be in RC4 encryption and will be decrypted using key zanibus
Anubis as a Keylogger
When you try to enter text in any textbox, the event TYPE_VIEW_TEXT_CHANGED and its event type is 16 will be triggered and save the text into keys.log then send it to the C2 server.
Receiving commands
The malware receives many encrypted commands from the C2 server and then decrypts it as we see when getting new C2 server such as opendir, downloadfile, deletefilefolder, getIP. In long string of commands, commands are separated by ::.
Intercepting and forwarding Calls and SMS
The malware can Intercepting and forwarding Calls and SMS which used in bank varifications. In SMS, can forward the OTP SMS. In Calls, varification and warning calls
Anubis as a ransomware
The malware acts as a ransomware which can encrypt files located in /mnt, /mount, /sdcard, and /storage.
The malware will use RC4 encryption to encrypt the files with a key which is received from the C2 server then save the encrypted data and deletes the original data. The key is used as a decryption and encryptio data.
Anubis with overlay attack
The malware searches for specific apps by comparing the installed apps to list of hardcoded apps -most of them is banking apps- to perform overlay attack. The malware opens an active window over a legitimate program. The opened malicious window is the same as the legitimate program. The malware can steal the victim’s credential data such as payment data or login data.
Disable play protect
This is an installed malware on the device, then how it didn’t flag as a malware by play protect? The malware disables play protect
IoCs
| No. | Description | Hash and URLs |
|---|---|---|
| 1 | The APK hash (MD5) | ba7b1ba0830e11da60dec1c90632515d |
| 2 | C2 server | hxxp://sosyalkampanya2.tk/dedebus/ |
| 3 | related C2 Server | hxxp://twitter.com/qweqweqwe |
| 4 | related C2 Server | hxxp://twitter.com/ankaratakipte |
Article quote
ومن لم يكن في معيّة الله فهو هالك