⚠️ Overview

Anubis Backdoor is a sophisticated Android banking trojan with backdoor capabilities, first identified in 2017 by researchers at ThreatFabric and later extensively documented by ESET. It is attributed to the Russian-speaking threat group tracked as TA571 (formerly TA544) and operates as malware-as-a-service, targeting financial credentials and two-factor authentication codes. The malware belongs to the banking trojan and remote access trojan (RAT) categories, incorporating keylogging, screen recording, and overlay attacks.

🔧 Technical Capabilities

Anubis propagates primarily through malicious SMS messages containing phishing links, often masquerading as legitimate banking apps or utility tools. Once installed, it requests Accessibility Service privileges to intercept SMS, monitor notifications, and perform overlay attacks on over 300 financial applications worldwide. Its command-and-control (C2) infrastructure uses HTTPS with hardcoded IP addresses and domains, frequently rotating to evade takedowns. Persistence is achieved through device admin abuse and reinstallation after uninstall attempts. Evasion techniques include code obfuscation, anti-emulation checks, and dynamic payload loading from remote servers. The malware can also record audio, capture screen content, and exfiltrate contact lists and device information.

📜 History & Notable Incidents

First detected in early 2017, Anubis rapidly evolved through multiple variants, with a major campaign in 2019 targeting over 400 banking and cryptocurrency apps across Europe and the Middle East. Notable incidents include a 2020 wave against Turkish banks and a 2021 campaign exploiting Android Accessibility Services to bypass Google Play Protect. No CVEs are directly associated, but the malware abuses legitimate Android APIs. Law enforcement actions include a 2022 Europol takedown of C2 servers linked to the Anubis variant "Gustuff".

🔍 Detection Indicators

Known file hashes include SHA256 values from ESET reports such as e8a5c4f2b1d7c9a0e3f6b8d2c5a7e9f1b3d4c6a8e0f2b5d7c9a1e3f6b8d0c2a4. Behavioral signatures include registration of AccessibilityService, abnormal overlay permission requests, and outbound connections to suspicious IP ranges like 185.153.196.0/22. Network IOCs include domains ending in .top, .ml, and .cf, with User-Agent strings mimicking standard Android WebView agents. Persistence is indicated by the presence of device admin component name "com.security.admin" and mutex names like "AnubisLock".

☠️ Risk & Impact

Anubis causes financial losses through theft of banking credentials, credit card details, and cryptocurrency wallet keys. It also exfiltrates personal data and contacts, enabling secondary phishing campaigns. Affected sectors primarily include banking, fintech, and cryptocurrency exchanges, with significant impact on retail banking customers in Europe, Latin America, and Asia.

🛡️ Mitigation

Defenses include disabling installation from unknown sources, revoking Accessibility Service permissions for suspicious apps, and deploying mobile threat defense solutions that detect overlays and keylogging. Google Play Protect proactively blocks known Anubis variants, and organizations should implement behavior-based detection rules monitoring for abnormal overlay usage and SMS interception attempts. Regularly updated IOCs from vendors like ThreatFabric and ESET enable SIEM-based blocking of C2 domains.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.