Hundreds of financial applications are being targeted by a threat campaign featuring a new strain of the Anubis Android banking trojan malware.
The malicious campaign was detected by researchers at cybersecurity company and integrated endpoint-to-cloud provider Lookout.
Researchers observed the banking malware masquerading as an account management application created by France’s largest telecommunications company, Orange S.A., to target customers of nearly 400 financial institutions, virtual payment platforms, and crypto-currency wallets.
Victims of Anubis suffer their personal data’s being exfiltrated from their mobile device then exploited for financial gain. The malware accesses victims’ information by intercepting SMSs, keylogging, GPS data collection, file exfiltration, screen monitoring, and abusing the accessibility services of a device.
This latest distribution of Anubis can record a device’s screen activity and sound from its microphone, capture screenshots, retrieve contacts and send mass SMS messages to specified recipients, and submit USSD code requests to query bank balances. It can also lock the screen of a device and cause a ransom note to be displayed.
The malicious app, with a package name of ‘fr.orange.serviceapp’, landed in the Google Play store at the end of July 2021. Lookout’s researchers believe its creators sought to test Google’s antivirus capabilities.
To disguise the criminal nature of the malicious app, the cyber-criminals have perfectly mimicked its “Orange et Moi France” app icon, which shows a user and their device drawn in white against an orange background.
However, eagle-eyed app users will notice that the resolution of the fake image used by the cyber-criminals is lower than that used in the real icon, giving it a slightly fuzzy appearance.
Explaining how Anubis initiates attacks, researchers wrote: “As a trojanized malware, users assume that the app they have downloaded is legitimate. Pretending to be ‘Orange Service,’ the malware begins its attack by asking for accessibility services.”
Once the user selects “OK,” the app initiates covert communications with its C2, sending details about the victim’s device. Next, it exploits accessibility services to grant itself additional extensive permissions.
“This process occurs so quickly that most users probably wouldn’t see the device selecting ‘agree’ to the permission request prompts,” said researchers.