Anubis Android Malware is Back With Thousands of New Samples

Written by Bill Toulas
Last updated June 23, 2021

Anubis is a particularly nasty banking malware that hits Android devices and steals the payment information of its victims through a rich repertoire of tricks. Back in January, we saw how Anubis activated only when the user was on the go and not paying attention to what is going on in the device, how the malware pushed fake system updates, and how it was able to steal data from 377 individual financial apps by serving fake overlay screens. Trend Micro researchers have noticed a spike in the deployment of Anubis lately, warning people of over 17500 samples that are currently propagated globally.

anubis infection chain

image source:

In these campaigns, Anubis is packed inside malicious APKs that have names like “Google Services”, or “Operator Update” in various languages, tricking people into thinking they are downloading a system update utility. The newest samples of Anubis have the following technical capabilities:

According to the analysis of the samples, Anubis is mainly targeting Poland, Australia, Turkey, Germany, France, Italy, Spain, U.S., and India right now, mimicking the login screens of financial apps that are used in these countries. The C&C infrastructure shows some level of versatility, with the servers being located in various countries, and having cloud service and internet data service abuse in the mix.

anubis infrastructure

image source:

To stay safe from the Anubis danger, avoid downloading and installing apps (APKs) from untrustworthy sources, use a mobile security tool from a reliable vendor, and apply Android system and security updates when they become available. Even if Anubis gets activated when you’re not using your device, its activity traces can still be seen in the battery and network data consumption graphs that you can access in your device’s settings.

Have you ever had an Anubis experience? Share the details with us in the comments down below, or help us spread the warning by sharing this post through our social media, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: