The BankBot trojan, Anubis has once again affected users of the Google Play Store. This occurred when users downloaded a battery power saving app, BatterySaverMobi and currency converter app, Currency Converter. It affected users worldwide, with Japan impacted the most.
Anubis is a trojan that moves within a users device undetected, stealing data relating to the user. It hides within apps and deploys onto a device after the user unknowingly permits it to do so.
Data collected from individual smartphones include user credentials, targeting those that are financially related. It also gains access to users’ contact lists and location data. It even has the ability to tamper with contents within the phone. This gives the Bots behind the trojan more than just data relating to the user. Screenshots or the built-in key logger on devices capture all this information.
Triggering Anubis
This trojan managed to remain undetected and triggered itself following one simple act from the user’s device; moving. Monitoring motion sensors allowed the trojan to determine whether to deploy itself on the device or not. Sandboxed or emulated devices provided little to no motion, alerting the Bots behind the Anubis trojan to this fact. As a result, it did not deploy on these devices.
Anubis triggered itself by tricking users into installing it with either a bogus system update message or another app’s permission request message. The trojan encoded itself into apps such as Twitter and Telegram, connected to the command and control server which linked to the trojan. The Anubis payload then dropped into the background.
Anubis has previous
Anubis used Google Play Store in the past to carry out its attacks. It targeted Turkish finance-related apps before. Google dealt with the trojan and wiped it clean from its store. However, this has not proven strong enough to stop the trojan striking again. Apps published on the store are clean from malicious content, but once in and waiting within the store, the trojan can be downloaded.
Avoiding Anubis
Users should be careful when installing apps and should not rely solely on the reviews given. Bots can be used to fake ratings and reviews, which is suspected happened in this case. Researchers such as Trend Micro advised users to be overly cautious when apps request banking credentials and to check whether the apps are linked with their financial providers beforehand.
Google has since removed BatterSaverMobi and Currency Converter from its Play Store.
