"Anubis Android Malware Returns to Target 394 Financial Apps"

In a new malware campaign, the Anubis banking Trojan is targeting customers of almost 400 financial institutions. The malicious actors behind the malware campaign impersonate an Orange S.A. Android app to steal login credentials. According to researchers at Lookout, the campaign is still in the testing and optimization phase. The new version of Anubis has many capabilities, such as recording screen activity, implementing a SOCKS5 proxy for covert communication, retrieving contacts stored on the targeted device, collecting GPS data, implementing a keylogger, deleting notifications for SMS messages received by the device, submitting USSD code requests to query bank balances, and more. Additionally, like previous versions, the newest Anubis malware can detect whether the compromised device has Google Play Protected enabled and then display a fake system alert to trick the unsuspecting user into deactivating it. This capability gives the malware complete access to the device and enables the freedom for data to be sent to and received from the command-and-control server (C2) without interference. The identity of the actors distributing Anubis remains unclear as they have been careful in hiding their C2 infrastructure registration trace. Cloudflare is used to redirect all network traffic through SSL while the C2 masquerades as a cryptocurrency trading website. This article continues to discuss recent findings surrounding the new version of the Anubis Android banking Trojan regarding its capabilities, distribution mechanisms, and targets. 

Bleeping Computer reports "Anubis Android Malware Returns to Target 394 Financial Apps"