S0422 Anubis
Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.1
| Item | Value |
|---|---|
| ID | S0422 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 08 April 2020 |
| Last Modified | 20 September 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1532 | Archive Collected Data | Anubis exfiltrates data encrypted (with RC4) by its ransomware module.1 |
| mobile | T1429 | Audio Capture | Anubis can record phone calls and audio.1 |
| mobile | T1616 | Call Control | Anubis can make phone calls.1 |
| mobile | T1471 | Data Encrypted for Impact | Anubis can use its ransomware module to encrypt device data and hold it for ransom.1 |
| mobile | T1533 | Data from Local System | Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.12 |
| mobile | T1407 | Download New Code at Runtime | Anubis can download attacker-specified APK files.2 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.003 | Disable or Modify Tools | Anubis can modify administrator settings and disable Play Protect.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | Anubis has a keylogger that works in every application installed on the device.1 |
| mobile | T1417.002 | GUI Input Capture | Anubis can create overlays to capture user credentials for targeted applications.1 |
| mobile | T1430 | Location Tracking | Anubis can retrieve the device’s GPS location.1 |
| mobile | T1424 | Process Discovery | Anubis can collect a list of running processes.3 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Anubis can steal the device’s contact list.1 |
| mobile | T1513 | Screen Capture | Anubis can take screenshots.1 |
| mobile | T1582 | SMS Control | Anubis can send, receive, and delete SMS messages.1 |
| mobile | T1418 | Software Discovery | Anubis can collect a list of installed applications to compare to a list of targeted applications.1 |
| mobile | T1426 | System Information Discovery | Anubis can collect the device’s ID.1 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | Anubis has used motion sensor data to attempt to determine if it is running in an emulator.2 |
| mobile | T1481 | Web Service | - |
| mobile | T1481.001 | Dead Drop Resolver | Anubis can retrieve the C2 address from Twitter and Telegram.12 |
References
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021. ↩↩↩↩
-
zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021. ↩