Full Anubis android malware analysis
Anubis is an android malware or bank trojan collects sensitive data from the victim’s mobile such as financial data using read/write SMS and keylogging. Anubis targets turkish speaker and spreads through malicious websites which download directly anubis malware or through google play which download the dropper then the dropper downloads the anubis malware. The sample from VT
Download the sample from github
We try to decompile the apk file using
apktool d anubis.apk. Then we open the decoded
AndroidManifest.xml file, we see many permissions which show the capability of the malware.
The malware has the capability of access location, read/write SMS, call phone, record autio, read contacts, and internet.
We get back to the
apk file and
unzip it. And convert the dalvik executable
classes.dex file to
java bytecode file using
d2j-dex2jar classes.dex. Then open the classes.jar in
jd-GUI to examine java code.
Uninstall the app
When trying to uninstall the program, it forces you going to home screen. Using Accessibility services run in background when AccessibilityEvent is fired then do something. In anubis, if malware app name, settings
com.android.settings, or remove/uninstall then go back to home screen trigaring
The malware lots of Capabilities as we see VNC, keylogging, spam SMS, request location, disable play protect, and more.
By searching with
http, we can find the C2 server
hxxp://sosyalkampanya2.tk/dedebus/ which is used as VNC client.
The malware will try to get new C2 servers, which will be through twitter. It will query the twitter page which contains Chinese tweets and search for text from two tags
苏尔苏尔完 then loops to convert the Chinese chars with its related in English. Then the output will be in
Base64 which will be decoded and the next output will be in
RC4 encryption and will be decrypted using key
Anubis as a Keylogger
When you try to enter text in any textbox, the event
TYPE_VIEW_TEXT_CHANGED and its event type is
16 will be triggered and save the text into
keys.log then send it to the C2 server.
The malware receives many encrypted commands from the C2 server and then decrypts it as we see when getting new C2 server such as
getIP. In long string of commands, commands are separated by
Intercepting and forwarding Calls and SMS
The malware can Intercepting and forwarding Calls and SMS which used in bank varifications. In SMS, can forward the OTP SMS. In Calls, varification and warning calls
Anubis as a ransomware
The malware acts as a ransomware which can encrypt files located in
The malware will use RC4 encryption to encrypt the files with a key which is received from the C2 server then save the encrypted data and deletes the original data. The key is used as a decryption and encryptio data.
Anubis with overlay attack
The malware searches for specific apps by comparing the installed apps to list of hardcoded apps -most of them is banking apps- to perform overlay attack. The malware opens an active window over a legitimate program. The opened malicious window is the same as the legitimate program. The malware can steal the victim’s credential data such as payment data or login data.
Disable play protect
This is an installed malware on the device, then how it didn’t flag as a malware by play protect? The malware disables play protect
|No.||Description||Hash and URLs|
|1||The APK hash (MD5)||ba7b1ba0830e11da60dec1c90632515d|
|3||related C2 Server||hxxp://twitter.com/qweqweqwe|
|4||related C2 Server||hxxp://twitter.com/ankaratakipte|
ومن لم يكن في معيّة الله فهو هالك