A new BankBot Anubis campaign targeting Turkish mobile users emerged last month, as attackers managed to infiltrate the Google Play store with at least 10 fake apps that actually download the Android banking trojan.
In a blog post today, IBM’s X-Force research team reveals that each of the 10 mobile downloader programs — which come disguised as online shopping, financial and automotive apps, among others — can fetch more than 1,000 malicious samples from the perpetrators’ command-and-control servers.
These downloaders procure the final payload, BankBot Anubis, which asks unwitting users for accessibility rights under the guise of an imaginary app called Google Play Protect. By convincing users to enable Android’s Accessibility services, Anubis can visibly capture the keystrokes of victims when they open up a targeted banking app and type in their credentials. The attackers can see these recorded keystrokes because the malware can also take screen captures. (This methodology eliminates the developer’s need to create multiple fake banking app overlay screens to trick users into entering their credentials.)
According to IBM X-Force, the attackers rely on downloaders to infect users with Anubis because the downloaders are more likely to go undetected in Google Play Store than a banking trojan. The attackers are also regularly updating the downloaders, recently adding simple obfuscation and expanding their capabilities, the report adds.
In their jointly written blog post, researchers Shachar Gritzman and Nethanella Messer and Executive Security Advisor Limor Kessem theorize that the variety of apps found in Google Play Store, combined with the ongoing maintenance of the downloaders “indicates a large investment of resources on the part of the campaign’s operators, suggesting that a cybercrime service [e.g. downloader-as-a-service], rather than a single cybercrime faction, is likely responsible.”
Still, the researchers said it was also possible that this latest campaign could be the result of an individual cybercrime group suddenly favoring Anubis over other competing banking trojans such as Marcher.
IBM X-Force describes the campaign as “hefty,” noting that in one instance researchers “fetched more than 1,000 new samples of BankBot Anubis from just one C&C server. Each sample has a different MD5 signature, few of which were documented by any antivirus engine when tested against VirusTotal.”
While the campaign apparently has targeted solely Turkish users, IBM cautioned that with different botnets and configurations BankBot Anubis could easily victimize users in myriad other countries, including the U.S.
IBM reports that the malicious apps were all reported to Google for removal.