What a bargain! Get a real app – and the Anubis Trojan – with cloned and repackaged apps on 3rd party markets

The Anubis banking Trojan is back in action, ready to elbow out the newer Cerberus from the limelight. Anubis has a starring role in phishing and social engineering campaigns where victims are persuaded to download a real, certified app – but from outside the usual Google Play Store.

Not only does the victim get the app, they get a clever bit of malware that is ready to steal data and credentials from nearly 200 real banking and financial mobil apps that might be on their device. In addition, the malware can also take screenshots, take over text messaging, open URLs, and disable Google Play Protect. What a bargain.

The Anubis strategy is to clone legit apps from Google Play, repackage the app along with their banking Trojan, and distribute it via third-party app markets. It’s a simple, but effective move: their novel packaging deal installs the original app and the Anubis banker on top of it.

Here below are three actual examples of the repackaged apps:

Figure 1: the legit applications found in Google Play

Trojan flying a false flag

The three original apps shown are found on Google Play and are not malicious! The malicious ones are simply modified versions of the original ones with the added malware. The third app shows how the malware authors have decided to use the current COVID-19 situation in their favor and distribute malware under the flag of a legit application.

The first sign of a difference comes when a user gets a warning when trying to install the modified apps, because they are not sourced from the Google Play market. If the user allows off-market installations, the app will continue to be loaded.

Figure 2: warning to not install apps from unknown sources

 

That new app is moving to take control

After installing the fake applications, they will ask for full control over the device and, in some cases, ask for permission to record audio and manage the text messages.

One interesting case is with the “Media Player” application. After it’s installed, the name of the app in the applications list will be “Video Player”, but the Anubis-patched variant is titled “Media Player”. In addition, the malicious one will ask for different, more dangerous permissions, on top of the usual “Full control of the device” permission.

 Figure 3: the malicious “Media Player” app asks for dangerous permissions

 

Modular efficiency for Android malware

Besides the similar behavior, all the analyzed applications use the same naming convention for identifying the malicious android package. Just think of this as modular efficiency where the same malicious components can be reused and recycled between apps.

Figure 4: all the analyzed apps share a similarity in their manifest file and point to the malicious android package name

Practice safe shopping in the marketplace

Regardless of the name of the specific app, these are examples of one common infection vector where the malware authors trick users into installing seemingly legit applications that, beneath the nice package, contain malicious code.

Bad stuff and malicious apps do manage to get into the official Google Play Store. Most recently, Google deleted a bogus VPN app used by over 100 million people. Then there were those infected play apps for children also removed.

However, it is important to realize that the Play Store is patrolled and suspicious apps are regularly removed especially when security researchers point out issues.

To stay safe, practice these three social distancing recommendations when shopping for apps:

  1. Staying within the Play Store walled garden.
  2. Think about why a certain application requests permission (and don’t blindly grant permissions)
  3. Always have an AV product installed on your device.

Avira detects these fake apps as: ANDROID/Dropper.BAD.Gen

IOCs

SHA-256Package name
 

9af40bd913f4612a790c4fd2821b4e8a6ce7d15503484c35a5e8452e20845d8a

 

 com.doktorumapp
 

612da67e5c5eb4288ec4c5ef60598d75bd156d25217f123de8d2e85ef215fa4d

 

 com.mefree.videoplayer
 

7559dff487b11e7366f0a6f952dd808e376844609c9f5af6a1ebda09ffe30bb0

 

 cat.gencat.mobi.StopCovid19Cat

This post is also available in: German

Avira logo

Protect your Android from Trojans and other threats