At least 10 apps in Google Play Store distribute BankBot Anubis
IBM X-Force specialists detected several malicious applications on Google Play Store in one whack. These apps infected Android users with the Trojan called BankBot Anubis. This malware stole the credentials of banking apps, e-wallets and payment cards.
Researchers admit that this malicious campaign was discovered as far back as June, 2018. Attackers have integrated the payload into a wide variety of apps: from online shopping solutions to stock market monitoring apps. All the “products” of the criminal group looked very realistic, that’s why experts add that a huge amount of resources was invested for this campaign. At least, there were ten of such malicious loaders.
Other malicious programs have alrady penetrated into the Google Play application catalog, and BankBot Anubis isn’t an exception: it succeeded in passing all security checks thanks to the payload that was delivered to device after the application being installed (when the malware “analyzed the situation” and contacted the controlling server). In this case, the malware itself is quite successfully disguised as Google Protect, and, as a result, many antivirus solutions also don’t reveal anything suspicious.
According to experts, the developers of BankBot Anubis regularly change and update their malware, expanding its capabilities, but such changes in the code are made very carefully in order not to attract the attention of Google Play’s security mechanisms. The regular updates also indicate that a highly-experienced criminal group is behind creation of this malware.
The malware task is to penetrate into device and disguise as Google Protect, then it asks for permission to use Accessibility Service. If the user agrees - believes he is dealing with Google solution - the malicious code can start functioning as a keylogger, in other words, start stealing the user’s financial information. In addition, Anubis has ability to take screenshots, so, its operators will receive them and possess all the necessary information for the future attacks.
According to IBM X-Force, the malware mainly attacks users from Turkey, but Russia, Belarus, China, Israel, Azerbaijan, Great Britain and other countries have been also included in the list of potential victims.
Researchers believe that detected loaders can be a part of the service of certain criminal group offering the customers to access to Google Play. Another theory is that in the handling of BankBot Anubis distribution is involved the same group that previously worked with the Trojan dubbed Marcher.