How It Spreads
There’s been a worrying amount of legitimate-looking apps on the Google Play store that harbour malicious code, and Anubis is no different. Anubis is usually smuggled in via official-looking apps that offer banking or shopping services.
These malicious apps manage to dodge Google Play’s security checks and antivirus scans by not containing any malware to begin with; it does, however, contain code that can later fetch the malware from a command and control server. After the app has been through the security checks and passes each one, it’s then available for users to download. Once the user downloads an app with the Anubis fetch code on it, the app contacts the server and downloads the payload. It’s not quite ready yet, though; Anubis needs some freedom on the system in order to do its job. In order to achieve this freedom, it needs to ask the user to grant it permission to do what it pleases. Instead of dodging this required request, Anubis does actually ask for more permissions, however, but it uses the name “Google Play Protect” when asking. Of course, when the user sees the dialogue box pop up asking for more permissions, they believe it’s simply Google Play updating itself. They accept the heightened permissions, thus allowing Anubis to do its work.
What Anubis Does
Anubis is what is known as a BankBot. These are designed to keep an eye out for the user entering their bank details and then copy the details for a hacker to use. Typically, BankBots achieve this by looking for banking apps installed on the phone. If it finds one, it prepares an overlay that looks identical to the app’s login page. When the user boots the app, the malware shows the overlay, which the user enters their details into.
Anubis is special because it doesn’t use an overlay. Instead, it directly reads the keystrokes the user makes on the on-screen keyboard. This is known as “keylogging” and has been a staple in pruning information from PCs for many years now. Anubis also has the capability to take screenshots of the app and send it to the hacker. This helps with any visual security steps that can’t be detected by the keylogger. It’s also effective for spying on what the user types on a software keyboard, as keys typically have a visual cue when they’re touched. This combination of attacks helps the hacker gather enough details to access the victim’s bank account.
Dodging the Attack
The attacks began due to people downloading official-looking apps that have been laced with malware-downloading code. The key here is that the apps in question had only been in the store for a few days and had very little in terms of user reviews and downloads. In this age where even Google Play apps can be loaded with code that can download malware, it’s best to play it safe and not download any apps that have a low number of reviewers, and/or were released only very recently. Even official-looking apps have the capability of harbouring malicious code! Similarly, if you see a permissions screen for Google Play Protect appear, asking for permissions to observe your actions and retrieve window content, don’t allow it; there’s a very good chance this is Anubis pretending to be Google Play.
Banking on Security
Anubis is a particularly nasty example of Android malware, but it can be very easily dodged. Be careful of what you download, and don’t get apps that haven’t been around in the store for long, no matter how official it looks. Does this make you more wary of Google Play apps? Let us know below.