Home Anubis malware

Anubis malware

Also known as: android.bankbot, android.bankspy, BankBot

Category: Malware

Type: Banking trojan

Platform: Android

Variants: Anubis II, Anubis 2.1, Anubis 2.5, Anubis 3, CometBot, MysteryBot, LokiBot

Damage potential: Credential theft, data theft, keylogging, screen streaming, SMS harvesting, ransomware, data-wiping

Overview

The Anubis malware is one of the most used Android banking trojans in the world. It launched in late 2016, and throughout its existence is believed to have caused damage to at least 300 financial institutions worldwide. Anubis works by disguising itself as a third-party app (for example, a mobile game, utility app, or browser) and using keylogging, screen streaming, and fake notifications to steal victims’ banking information. 

Possible symptoms

Anubis focuses on stealing credentials, intercepting communication, and spying on user activity. So if it’s infected your device, you’re likely to experience unusual behavior, such as unauthorized access to your banking apps or sudden requests for sensitive permissions from seemingly legitimate apps. 

Other symptoms of Anubis malware may include:

  • Credential theft. Anubis overlays fake login pages on top of legitimate banking or financial apps to steal usernames, passwords, and other sensitive information.
  • Unusual app behavior. You may notice apps crashing, acting erratically, or requesting excessive permissions, such as access to SMS, contacts, or device administration.
  • SMS interception. Anubis intercepts incoming text messages, including two-factor authentication (2FA) codes, to bypass account security mechanisms.
  • Battery drain and slow performance. The malware operates in the background, causing high resource usage and slower device performance.
  • Spyware activity. It may log keystrokes, record screens, track your location, and capture audio to steal additional sensitive data.
  • Exfiltration of data. Stolen credentials, personal information, and other data are sent to the malware's command-and-control server for use in fraud and other malicious activities.

Sources of the infection

Anubis is typically delivered through several common methods, each aimed at infiltrating Android devices and stealing sensitive data for malicious purposes:

  • Malicious apps. You might unknowingly download apps embedded with Anubis from unofficial sources or even from the Google Play Store. These apps often masquerade as utilities like QR code scanners, fitness trackers, or productivity tools.
  • Phishing emails or SMS messages (smishing). Cybercriminals might send messages with infected links or attachments that, when clicked, download Anubis onto your device. These links typically imitate legitimate services to trick users into installing harmful apps.
  • Exploitation of Android vulnerabilities. Hackers might exploit known vulnerabilities in outdated Android operating systems or apps to deploy Anubis without user interaction.
  • Social engineering techniques. Attackers often prompt users to grant intrusive permissions (e.g., device administrator access or access to contacts, SMS, and accessibility services), enabling Anubis to take control of significant device functionality.

Protection

To prevent the Anubis malware from compromising your Android devices, you should take these mobile cybersecurity measures:

  • Download apps only from official sources.
  • Avoid clicking on links or downloading attachments from unknown senders. 
  • Enable 2FA on all your online accounts.
  • Regularly update your Android OS and all apps to patch vulnerabilities that could be exploited by Anubis.
  • Use mobile security solutions with anti-malware, app scanning, and behavior analysis to detect and block malicious apps or unauthorized activity.
  • Avoid granting unnecessary permissions, especially for apps requesting access to device administrator rights, accessibility, or SMS messages.
  • Regularly back up key data to secure locations, such as encrypted cloud storage, ensuring recovery in the event of malware infection or data theft.
  • Consider using tools like NordVPN’s Threat Protection, which can detect and block malicious files or apps during download or usage.

Removal

To remove Anubis malware from your Android device, you’ll need to contain and eliminate it, then secure your device to prevent future infections:

  1. 1.Disconnect from the internet. 
  2. 2.Uninstall suspicious apps. 
  3. 3.Run a trusted mobile antivirus tool. 
  4. 4.Review and revoke suspicious app permissions. 
  5. 5.Restore to factory settings. 
  6. 6.Reinstall apps carefully. 
  7. 7.Change all banking, email, and other service (for example, booking) passwords. 
  8. 8.Review and update security practices.