S0422 Anubis
Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.1
| Item | Value |
|---|---|
| ID | S0422 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 08 April 2020 |
| Last Modified | 20 September 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1432 | Access Contact List | Anubis can steal the device’s contact list.1 |
| mobile | T1418 | Application Discovery | Anubis can collect a list of installed applications to compare to a list of targeted applications.1 |
| mobile | T1616 | Call Control | Anubis can make phone calls.1 |
| mobile | T1429 | Capture Audio | Anubis can record phone calls and audio.1 |
| mobile | T1532 | Data Encrypted | Anubis exfiltrates data encrypted (with RC4) by its ransomware module.1 |
| mobile | T1471 | Data Encrypted for Impact | Anubis can use its ransomware module to encrypt device data and hold it for ransom.1 |
| mobile | T1533 | Data from Local System | Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.12 |
| mobile | T1475 | Deliver Malicious App via Authorized App Store | Anubis has been delivered via the Google Play Store.2 |
| mobile | T1476 | Deliver Malicious App via Other Means | Anubis was distributed via phishing link in an email.1 |
| mobile | T1407 | Download New Code at Runtime | Anubis can download attacker-specified APK files.2 |
| mobile | T1523 | Evade Analysis Environment | Anubis has used motion sensor data to attempt to determine if it is running in an emulator.2 |
| mobile | T1417 | Input Capture | Anubis has a keylogger that works in every application installed on the device.1 |
| mobile | T1411 | Input Prompt | Anubis can create overlays to capture user credentials for targeted applications.1 |
| mobile | T1478 | Install Insecure or Malicious Configuration | Anubis can modify administrator settings and disable Play Protect.1 |
| mobile | T1430 | Location Tracking | Anubis can retrieve the device’s GPS location.1 |
| mobile | T1444 | Masquerade as Legitimate Application | Anubis has requested accessibility service privileges while masquerading as “Google Play Protect” and has disguised additional malicious application installs as legitimate system updates.12 |
| mobile | T1424 | Process Discovery | Anubis can collect a list of running processes.3 |
| mobile | T1513 | Screen Capture | Anubis can take screenshots.1 |
| mobile | T1582 | SMS Control | Anubis can send, receive, and delete SMS messages.1 |
| mobile | T1426 | System Information Discovery | Anubis can collect the device’s ID.1 |
| mobile | T1481 | Web Service | Anubis can retrieve the C2 address from Twitter and Telegram.12 |
References
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved April 8, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021. ↩↩↩↩↩↩
-
zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021. ↩