MENU
AVP for Institutionalization 2018

DILG STRATEGIC DIRECTION AVP

ACG-CYBER SECURITY BULLETIN NO 141 UNDERSTANDING THE RISK OF ANUBIS MALWARE

The following information was obtained from different cyber security sources for notification to all parties concerned pursuant to the mandate of the Philippine National Police Anti-Cybercrime Group (PNP ACG).

The information provided was classified as “Restricted” pursuant to the PNP Regulation 200-012 on Document Security and Impact Rating as high based on PNP Information Communication Technology (ICT) Security Manual s.2010-01 p. 22 and p.129.

SUMMARY

Anubis malware designed to steal login credentials for banking apps, e-wallets and payment cards. The payload was hidden in applications which claimed to offer services ranging from online shopping to live stock-market monitoring.

                  Hackers bypass the Google play store security and distributing malware via Android apps that will act as the first step in an infection routine that fetches the BankBot Anubis mobile banking Trojans via Command & Control (C&C) server.  In order to ensure that the app does not get detected by Google play store, the developers of the malware are constantly altering the capabilities of the malware.

            Users are frequently infected once they download and install the malicious apps via google play store, even though play store security inspect all the app that uploaded into Google Play, cybercriminals always implement the sophisticated techniques to evade the detection.

            Once malicious downloader successfully installed into the victims Android mobile then the app fetches BankBot Anubis from one of its C&C servers. Also, BankBot Anubis malware posed as an app called “Google Protect” and asks for accessibility rights.  The malware authors are ultimately hoping that users will see the name Google on the display and inherently trust that the request is legitimate.

            However, this is not the case and by granting accessibility rights, the malware is given permission to perform keylogging, thru this, the user’s login information, the attacker can steal credentials from any app while avoiding the need to create custom overlays for each target. Anubis can also take screenshots of the user's display, which it likely uses to steal credentials since the keyboard strokes are visible. These features are staples of PC banking malware and are evolving in Android malware as well.

            For now, the malware appears to be targeting Android users only. Therefore, Android users must remain careful before downloading any app, regardless of how legit it appears.

            To avoid this stick to the official Google Play store when downloading apps, make sure to read user reviews before downloading anything to your device and pay attention to what permissions you grant to apps both before and after installation.

RECOMMENDATION

All PNP personnel as well as the public are advised to follow the tips in order to avoid the risk of Anubis Malware, to wit:

 

  • While downloading from the Play store, make sure to get to know the app permissions before installing or updating;
  • Keep all hardware and software updated with the latest, patched version;
  • Run reputable antivirus or anti-malware applications on all devices and keep them updated with the latest version;
  • Never click on unknown links, even if it seems to be coming from a known person;
  • Create multiple, redundant backups of all critical and sensitive data and keep them stored off the network in the event of a ransomware infection or other destructive malware incident. This will allow you to recover lost files, if needed.

For additional information, please refer to the following websites:

  • https://gbhackers.com/hackers-distributing-anubis-banking-malware/
  • https://www.zdnet.com/article/android-security-password-stealing-trojan-malware-sneaks-in-google-play-store-in-bogus-apps/
  • https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/

POINT CONTACT

            Please contact PCINSP ANGELICA STARLIGHT L. RIVERA, Chief, Personnel Records Management Section thru e-mail address This email address is being protected from spambots. You need JavaScript enabled to view it. or contact us on telephone number (632) 7230401 local 3562 for any inquiries related to this CYBER SECURITY BULLETIN.