Anubis malware found on the Play Store

The Anubis malware is (evidently,) an interesting Android malware that steals information with overlay attacks (you think you’re entering data into a banking app but you’re being intercepted via the malware,) does SMS interception and call forwarding, and logs keystrokes.

TL;DR – some malware downloaders in the Play Store, how they function, how Google could fix it today.

The main attack vector appears to be apps on the Play Store that don’t actually contain the malware, but pull it in afterwards to bypass Google’s virus/malware scanning service. You can check, if you’re suspicious of an app whether it carries the REQUEST_PACKAGE_INSTALL permission. You can read a detailed writup on Anubis attack vectors here if it floats your boat.

Anubis

Choice pieces include that attempting to uninstall gets you messages that you can’t, local Play Protect is disabled, bank-specific text spoofing based on what banking apps you have, launching their app instead of the banking app, and of course great evil.

From the email that lead me to this / PR firm:

Sam Bakken, senior product marketing manager at OneSpan:

“This recent discovery goes to show that attackers still find ways around Google Play vetting and so you cannot simply assume that your users’ mobile devices are secure. In the end, it’s really best to assume that you’re deploying your mobile app to a hostile environment and ensure it can protect itself in such a situation. Overlay attacks continue to be a common threat, but in this case, the Anubis malware is logging keystrokes and taking screenshots in an effort to pilfer banking credentials and the like. Some mobile app shielding technology can empower an app to defend itself in these situations, detecting and blocking such malicious activity before it’s too late.“ 

Paul Bischoff, privacy advocate with Comparitech.com:

“The prevalence of the Anubis malware across the Google Play Store is a failure by Google to properly vet and approve apps and app updates. Anubis has been around for several months, so Google’s anti-malware defenses should have spotted it. If Android users can’t trust their official app store to be safe, who can they trust? If Google can’t keep malware off of the Play Store, security-conscious users are more likely to turn to Apple.”


Apple, the more secure option listed above, would be that company that let people view anyone’s camera and audio feeds without them knowing with Facetime last month.

Apple it should be noted also has package installing abilities like those on Android which they recently temporarily revoked for Google and Facebook. That said, the bar is probably higher to get that ability. Google, it appears, just lets anyone with a developer account use that permission.

Seems like this easy enough to fix – just put a giant warning on anything with that permission on the Play Store “this app has the ability to download and install other applications and this is not safe”

Sources: email from Madison Alexander PR and linked

Liked it? Take a second to support Pocketables on Patreon!

Paul E King

Paul King started with GoodAndEVO in 2011, which merged with Pocketables, and as of 2018 he's evidently the owner. He lives in Nashville, works at a film production company, is married with two kids. Facebook | Google+ | Twitter | Donate | More posts by Paul | Subscribe to Paul's posts