S0422 Anubis
Anubis is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.1
| Item | Value |
|---|---|
| ID | S0422 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.3 |
| Created | 08 April 2020 |
| Last Modified | 25 September 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| mobile | T1453 | Abuse Accessibility Features | After accessibility service is granted, Anubis lures the victim into changing the Accessibility settings on the device, disabling application removal, and executes screen taps and other commands without the victim’s knowledge.2 |
| mobile | T1532 | Archive Collected Data | Anubis exfiltrates data encrypted (with RC4) by its ransomware module.1 |
| mobile | T1429 | Audio Capture | Anubis can record phone calls and audio.1 |
| mobile | T1616 | Call Control | Anubis can make phone calls.1 |
| mobile | T1471 | Data Encrypted for Impact | Anubis can use its ransomware module to encrypt device data and hold it for ransom.1 |
| mobile | T1533 | Data from Local System | Anubis can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.13 |
| mobile | T1407 | Download New Code at Runtime | Anubis can download attacker-specified APK files.3 |
| mobile | T1629 | Impair Defenses | - |
| mobile | T1629.001 | Prevent Application Removal | Anubis may prevent malware’s uninstallation by abusing Android’s performGlobalAction(int) API call. |
| mobile | T1629.003 | Disable or Modify Tools | Anubis can modify administrator settings and disable Play Protect.1 |
| mobile | T1417 | Input Capture | - |
| mobile | T1417.001 | Keylogging | Anubis has a keylogger that works in every application installed on the device.1 |
| mobile | T1417.002 | GUI Input Capture | Anubis can create overlays to capture user credentials for targeted applications.1 |
| mobile | T1430 | Location Tracking | Anubis can retrieve the device’s GPS location.1 |
| mobile | T1655 | Masquerading | - |
| mobile | T1655.001 | Match Legitimate Name or Location | Anubis has requested accessibility service privileges while masquerading as “Google Play Protect” and has disguised additional malicious application installs as legitimate system updates.13 |
| mobile | T1424 | Process Discovery | Anubis can collect a list of running processes.4 |
| mobile | T1636 | Protected User Data | - |
| mobile | T1636.003 | Contact List | Anubis can steal the device’s contact list.1 |
| mobile | T1513 | Screen Capture | Anubis can take screenshots.1 |
| mobile | T1582 | SMS Control | Anubis can send, receive, and delete SMS messages.1 |
| mobile | T1418 | Software Discovery | Anubis can collect a list of installed applications to compare to a list of targeted applications.1 |
| mobile | T1426 | System Information Discovery | Anubis can collect the device’s ID.1 |
| mobile | T1633 | Virtualization/Sandbox Evasion | - |
| mobile | T1633.001 | System Checks | Anubis has used motion sensor data to attempt to determine if it is running in an emulator.3 |
| mobile | T1481 | Web Service | - |
| mobile | T1481.001 | Dead Drop Resolver | Anubis can retrieve the C2 address from Twitter and Telegram.13 |
References
-
M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Cyble. (2021, May 2). Mobile Malware App Anubis Strikes Again, Continues to Lure Users Disguised as a Fake Antivirus. Retrieved April 24, 2025. ↩
-
K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021. ↩↩↩↩↩
-
zLabs. (2019, November 12). How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021. ↩