Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Intelligence, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Pyramid scheme: AnubisSpy Android malware steals data, seemingly links to old Sphinx campaign

A newly discovered Android spyware that victimizes Arabic-speakers has been potentially linked to the 2014-15 Sphinx cyber espionage campaign, which was launched by the threat group APT-C-15 to target PC users in the Middle East.

In a Dec. 19 blog post and accompanying technical brief, researchers from Trend Micro's Mobile Threat Response Team revealed their findings after analyzing seven apps found on Google Play or third-party app marketplaces that contained spyware dubbed AnubisSpy.

All of the apps are written in Arabic and somehow relate to Egypt – in certain cases, spoofing an Egyptian TV program or showcasing Middle Eastern news. They were signed with fake Google certificates and were installed in a “handful of countries in the Middle East,” Trend Micro further reports, citing Google. “The apps mainly used Middle East-based news and sociopolitical themes as social engineering hooks and abused social media to further proliferate,” the blog post explains.

According to the researchers, AnubisSpy is capable of stealing SMS messages, photos, videos, contacts, email accounts, and Chrome and Samsung Internet Browser histories, and can also take screenshots and record audio. Moreover, it can spy on infected victims via certain apps listed in its updatable configuration file, including Skype, WhatsApp, Facebook and Twitter.

Trend Micro reports that AnubisSpy shares the same file structures, command-and-control server, JSON file decryption technique, and targets as the aforementioned old Sphinx campaign, which typically used watering hole attacks to infect victims with the njRAT trojan. While the attackers behind AnubisSpy could be the original Sphinx operators, it is also possible they are separate actors, the researchers caution.

The researchers believe the apps were developed as far back as April 2015, with the latest variant signed on May 2017. Trend Micro says it contacted Google about the malicious apps on Oct. 12 2017, prompting the latter company to update Google Play Protect accordingly.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.