A new BankBot campaign has surfaced in the wild dubbed Anubis and is targeting Turkish mobile users. Anubis has infiltrated the Google Play Store with at least 10 apps. The downloaders are disguised as online shopping, automotive, and financial apps. The malware asks victims for accessibility rights under the disguise of a fake app called Google Play Protect. Once the victim is convinced to enable the accessibility services, the malware can record keystrokes and screenshots of the victim’s device when targeted banking apps are opened. The attackers rely on the downloaders to infect victims since the downloaders are more likely to go through the Play Store undetected. It has also been seen that the downloaders are frequently updated and recently, simple obfuscation has been added to help expand the capabilities of the downloaders. Researchers have retrieved over 1,000 new samples of Anubis from one C&C server and each have a different MD5 signature. Anubis has primarily targeted Turkish users, however with different botnets and configurations, it is possible that Anubis could victimize users in other countries.
