Anubis is a mobile malware targeting Android-powered devices, and is delivered via malicious apps that were available on the official Google Play store. The malware is associated with the cyber-espionage group known as "Sphinx" or "APT-C-15." Anubis is used to steal SMS messages, photos, videos, contacts, email accounts, calendar events, and browser histories from Chrome and Samsung Internet Browser. Additionally, it can take screenshots and record audio, including phone calls. It spies on the victims via apps installed on the device, including, but not limited to: Skype, WhatsApp, Facebook, and Twitter. Once the data has been collected, it is encrypted and sent to its C2 server. Anubis can run commands, delete files on the device, install and uninstall APKs, and has the ability to self-destruct.

Technical Details

  • Trend Micro provides technical analysis of the Anubis malware here.

  • January 2019: Anubis was found installed on two apps in the Google Play store, one advertised as a currency converter and the other a power saver. Anubis uses the device’s sensors to avoid detection. (Trend Micro)

  • July 2019: Anubis returns with another variant, recycling similar information-stealing capabilities. (Trend Micro)

    • Take screenshots of the infected device’s screen

    • Remotely control the device via virtual network computing (VNC)

    • Record audio

    • Send, receive, and delete SMS

    • Enable or configure device administration settings

    • Get the device’s running tasks

    • Steal the device’s contact list

    • Open a specified URL

    • Disable Google Play Protect

    • Lock the device’s screen

    • Start or initiate unstructured supplementary service data (USSD), which is the technology used to send text messages between a mobile device and application

    • Encrypt files, including those stored on the SD card (as AnubisCrypt)

    • Find or locate files

    • Get the device’s location

    • Retrieve remote control commands from social media channels like Twitter and Telegram