Threat actor groups have recently sent phishing email messages disguised as an invoice, targeting Android phone users with the malicious app known as Anubis. The phishing messages contain an attached Android Package Kit (APK) file. If the email message and attachment are opened on an Android phone, the recipient will be prompted to install the app from the APK file unless the phone’s security settings prohibit it. The app appears to request permission for “Google Play Protect” to use accessibility features on the phone to observe actions and retrieve window content on the phone. If the permission is granted, it actually disables Google Play Protect and allows the Anubis malware to access sensitive information. The malicious app is capable of stealing many types of information, including the following:
- Capturing screenshots
- Enabling or changing administration settings
- Opening and visiting any URL
- Disabling Play Protect
- Recording audio
- Making phone calls
- Stealing the contact list
- Controlling the device via VNC
- Sending, receiving and deleting SMS
- Locking the device
- Encrypting files on the device and external drives
- Searching for files
- Retrieving the GPS location
- Capturing remote control commands from Twitter and Telegram
- Pushing overlays
- Reading the device ID
Anubis contains a ransomware module that allows the attacker to encrypt files on the phone and demand an extortion payment to decrypt them.
Analyst Notes
Companies that allow employees to use their own mobile devices to access work information should ensure that employees are aware of the danger of installing apps from APK files, especially if they are received by email or downloaded from websites. Android devices should set the security control to not allow installation of apps from files, and only install well-reviewed and trustworthy apps from Google Play or other well-known sources. Businesses should scan incoming emails for suspicious attachments such as APK files to detect threats targeted at employees.
For more information, please see: https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/
