Skip to content

S0422 Anubis

Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.1

Item Value
ID S0422
Associated Names
Version 1.3
Created 08 April 2020
Last Modified 20 September 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1432 Access Contact List Anubis can steal the device’s contact list.1
mobile T1418 Application Discovery Anubis can collect a list of installed applications to compare to a list of targeted applications.1
mobile T1616 Call Control Anubis can make phone calls.1
mobile T1429 Capture Audio Anubis can record phone calls and audio.1
mobile T1532 Data Encrypted Anubis exfiltrates data encrypted (with RC4) by its ransomware module.1
mobile T1471 Data Encrypted for Impact Anubis can use its ransomware module to encrypt device data and hold it for ransom.1
mobile T1533 Data from Local System Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.12
mobile T1475 Deliver Malicious App via Authorized App Store Anubis has been delivered via the Google Play Store.2
mobile T1476 Deliver Malicious App via Other Means Anubis was distributed via phishing link in an email.1
mobile T1407 Download New Code at Runtime Anubis can download attacker-specified APK files.2
mobile T1523 Evade Analysis Environment Anubis has used motion sensor data to attempt to determine if it is running in an emulator.2
mobile T1417 Input Capture Anubis has a keylogger that works in every application installed on the device.1
mobile T1411 Input Prompt Anubis can create overlays to capture user credentials for targeted applications.1
mobile T1478 Install Insecure or Malicious Configuration Anubis can modify administrator settings and disable Play Protect.1
mobile T1430 Location Tracking Anubis can retrieve the device’s GPS location.1
mobile T1444 Masquerade as Legitimate Application Anubis has requested accessibility service privileges while masquerading as “Google Play Protect” and has disguised additional malicious application installs as legitimate system updates.12
mobile T1424 Process Discovery Anubis can collect a list of running processes.3
mobile T1513 Screen Capture Anubis can take screenshots.1
mobile T1582 SMS Control Anubis can send, receive, and delete SMS messages.1
mobile T1426 System Information Discovery Anubis can collect the device’s ID.1
mobile T1481 Web Service Anubis can retrieve the C2 address from Twitter and Telegram.12


Back to top