Threat actor groups have recently sent phishing email messages disguised as an invoice, targeting Android phone users with the malicious app known as Anubis. The phishing messages contain an attached Android Package Kit (APK) file. If the email message and attachment are opened on an Android phone, the recipient will be prompted to install the app from the APK file unless the phone’s security settings prohibit it. The app appears to request permission for “Google Play Protect” to use accessibility features on the phone to observe actions and retrieve window content on the phone. If the permission is granted, it actually disables Google Play Protect and allows the Anubis malware to access sensitive information. The malicious app is capable of stealing many types of information, including the following:
- Capturing screenshots
- Enabling or changing administration settings
- Opening and visiting any URL
- Disabling Play Protect
- Recording audio
- Making phone calls
- Stealing the contact list
- Controlling the device via VNC
- Sending, receiving and deleting SMS
- Locking the device
- Encrypting files on the device and external drives
- Searching for files
- Retrieving the GPS location
- Capturing remote control commands from Twitter and Telegram
- Pushing overlays
- Reading the device ID
Anubis contains a ransomware module that allows the attacker to encrypt files on the phone and demand an extortion payment to decrypt them.