Full Anubis android malware analysis

4 minute read

As-salamu Alaykum


Anubis is an android malware or bank trojan collects sensitive data from the victim’s mobile such as financial data using read/write SMS and keylogging. Anubis targets turkish speaker and spreads through malicious websites which download directly anubis malware or through google play which download the dropper then the dropper downloads the anubis malware. The sample from VT

Download the sample from github

Static analysis

We try to decompile the apk file using apktool command apktool d anubis.apk. Then we open the decoded AndroidManifest.xml file, we see many permissions which show the capability of the malware.

Figure(1): permissions of the malware

The malware has the capability of access location, read/write SMS, call phone, record autio, read contacts, and internet.

We get back to the apk file and unzip it. And convert the dalvik executable classes.dex file to java bytecode file using dex2jar command d2j-dex2jar classes.dex. Then open the classes.jar in jd-GUI to examine java code.

Uninstall the app

When trying to uninstall the program, it forces you going to home screen. Using Accessibility services run in background when AccessibilityEvent is fired then do something. In anubis, if malware app name, settings com.android.settings, or remove/uninstall then go back to home screen trigaring to_home_screen().

Figure(2): attempting to uninstall the malware


The malware lots of Capabilities as we see VNC, keylogging, spam SMS, request location, disable play protect, and more.

Figure(3): Malware Capabilities

C2 server

By searching with http, we can find the C2 server hxxp://sosyalkampanya2.tk/dedebus/ which is used as VNC client.

Figure(4): C2 server

The malware will try to get new C2 servers, which will be through twitter. It will query the twitter page which contains Chinese tweets and search for text from two tags 苏尔的开始 and 苏尔苏尔完 then loops to convert the Chinese chars with its related in English. Then the output will be in Base64 which will be decoded and the next output will be in RC4 encryption and will be decrypted using key zanibus

Figure(5): Get new C2 server from twitter

Figure(6): Decode and decrypt the output

Anubis as a Keylogger

When you try to enter text in any textbox, the event TYPE_VIEW_TEXT_CHANGED and its event type is 16 will be triggered and save the text into keys.log then send it to the C2 server.

Figure(7): Keylogging function

Figure(8): If C2 sends a command contains Clear, then deletes key strokes saved

Receiving commands

The malware receives many encrypted commands from the C2 server and then decrypts it as we see when getting new C2 server such as opendir, downloadfile, deletefilefolder, getIP. In long string of commands, commands are separated by ::.

Figure(9): receives encrypted commands and decryptes it

Intercepting and forwarding Calls and SMS

The malware can Intercepting and forwarding Calls and SMS which used in bank varifications. In SMS, can forward the OTP SMS. In Calls, varification and warning calls

Figure(10): Intercepting and forwarding Calls

Anubis as a ransomware

The malware acts as a ransomware which can encrypt files located in /mnt, /mount, /sdcard, and /storage.

Figure(11): Anubis as a ransomware

The malware will use RC4 encryption to encrypt the files with a key which is received from the C2 server then save the encrypted data and deletes the original data. The key is used as a decryption and encryptio data.

Figure(12): Anubis encrypts and decrypts data

Anubis with overlay attack

The malware searches for specific apps by comparing the installed apps to list of hardcoded apps -most of them is banking apps- to perform overlay attack. The malware opens an active window over a legitimate program. The opened malicious window is the same as the legitimate program. The malware can steal the victim’s credential data such as payment data or login data.

Figure(13): Targeted apps

Figure(14): Webview over the legitimate program

Disable play protect

This is an installed malware on the device, then how it didn’t flag as a malware by play protect? The malware disables play protect

Figure(15): Anubis disables play protect


No. Description Hash and URLs
1 The APK hash (MD5) ba7b1ba0830e11da60dec1c90632515d
2 C2 server hxxp://sosyalkampanya2.tk/dedebus/
3 related C2 Server hxxp://twitter.com/qweqweqwe
4 related C2 Server hxxp://twitter.com/ankaratakipte

Article quote

ومن لم يكن في معيّة الله فهو هالك