#Privacy: Phishing campaign found targeting Android devices

Researchers at Cofense have uncovered a phishing campaign that attempts to deliver the Anubis malware.

The Anubis malware, originally used for cyber espionage has now been repurposed as a banking trojan. Subsequently, with the new campaign, Anubis can install a keylogger, hold a device’s data for ransom, and even hijack an Android mobile device to steal user credentials. 

In a blog post, Cofense explains that due to the increasing use of mobile devices in the corporate environment, with many implementing BYOD policies, Anubis has the potential to cause serious harm to both consumers and businesses.

The phishing email contains a link to an Android Package Kit (APK), which once opened from an Android device an APK file is downloaded. 

Once the file is opened, the malware asks the user to enable “Google Play Protect”, whilst actually giving it all the permissions it needs to disable the actual Google Play Protect. 

Cofense noted that Anubis is primarily targeting banking and financial applications, in addition to shopping apps such as eBay or Amazon.

“Once an application has been identified, Anubis overlays the original application with a fake login page to capture the user’s credentials,” wrote Cofense researcher Marcel Feller.

Anubis has a wide range of capabilities including; capturing screenshots, enabling or changing administration settings, recording audio, making phone calls, opening and visiting any URL, locking the device, retrieving the GPS location and more.

The malware also includes a keylogger that works in every app installed on the Android device. However, this can only be enabled by the threat actors via a command sent from the C2 server. 

According to Cofense, this particular version of Anubis is designed to run on numerous “iterations of the Android operating system, dating back to version 4.0.3.” The malware has now targeted more than 250 Android apps. 

“Users who have configured their Android mobile device to receive work-related emails and allow installation of unsigned applications face the most risk of compromise. APK files will not natively open in an environment other than an Android device,” Feller added. 

“With the increased use of Android phones in business environments, it is important to defend against these threats by ensuring devices are kept current with the latest updates. Limiting app installations on corporate devices, as well as ensuring that applications are created by trusted developers on official marketplaces, can help in reducing the risk of infection as well.”


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/