[ANUBIS VIRUS]: Major Android Virus Attacking Bitfinex, Binance Exchange Apps and Others (Pt. 1)

Image result for Anubis virus
Photo Credit in Picture (there is no affiliation between this entity and Zerononcense)

In the course of general research, Zerononcense recently came across a report titled, ‘Reverse Engineering of the Anubis Malware — Part 1’, which presented information about malware that has been wreaking havoc on Android devices throughout 2019, which was dubbed, ‘Anubis’. While the malware was not created specifically to target the blockchain space, the virus is extremely well-engineered, sophisticated, dangerous, and highly targeted, with those that engage in financial-related activities being at the greatest risk.

Specifically, those that engage in any activity related to banking, using exchanges, or even checking cryptocurrency prices are at significant risk if they have been infected with this virus.

The first report (cited in the first paragraph) that this article will use as reference was published by a French cybersecurity researcher writing under the pseudonym, ‘Elliot Alderson’. That report provides general background information about the virus (Anubis), its origin, means of execution and insertion, and also some of this viruses detected targets.

The second report that this piece will strongly source for information is titled, ‘Anubis II — malware and afterlife’, which was published by the cybersecurity firm, ‘ThreatFabric’. That report provides further information regarding the features of Anubis and covers some of the gaps in coverage from the first report.

For more comprehensive coverage of this virus, users should check the following links:

1. https://www.zdnet.com/article/anubis-android-banking-malware-returns-with-a-bang/

  1. https://securityintelligence.com/news/more-than-17000-samples-of-anubis-android-malware-found-on-two-related-servers/ (July 9th, 2019)
  2. https://fossbytes.com/android-malware-records-screen-steal-banking-details/ (July 4th, 2019)

  3. https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/ (April 30th, 2019)

  4. https://twitter.com/LukasStefanko/status/1095614488529854466?s=20 (Cybersecurity researcher)

  5. Anubis Android Malware – IBM X-Force Collection

    Overview Security researchers at Trend Micro have provided details about numerous malicious apps they discovered abusing Google shortlinks for command and control instructions. Threat Type Malware Overview Security researchers at Trend Micro have provided details about numerous malicious apps they discovered abusing Google shortlinks for command and control instructions.

Explaining What the ‘Anubis’ Virus is and What it Does

Below is an excerpt from second report, which provides a description of the virus:

“Anubis II is the Android banking Trojan created and advertised by an actor with the nickname ‘maza-in’. This malware family goes beyond the well-known overlay attacks by combining advanced features such as screen streaming, remote file browsing, sound recording, keylogging and even a network proxy, making it an efficient banking malware but also a potential spying tool. Effectively, Anubis can be considered one of the most used Android banking Trojans since late 2017.”

Capabilities of the Malware on Infected Devices (Courtesy of ThreatFabric):

Essentially, Anubis ‘spoofs’ certain websites and applications, using a variety of sophisticated methods that are designed to make detection without the aid of accompanying software (Anti-Virus) near impossible. According to ‘ThreatFabric’, the malware can effectively steal, ‘online banking credentials’, ‘banking security codes’, and ‘even credit card details’.

Based on Zerononcense’s assessment of the virus’ capabilities, the dangers of this virus are vastly understated by ThreatFabric.

It is worth noting that the outlined capabilities above expose users to a countless number of attacks that would render many of the best safeguards entirely obsolete. Specifically, the malware’s capabilities allow the operators of the malware to effectively implement a ‘man-in-the-middle’ attack with ease. An effective man-in-the-middle attack can render 2FA (two-factor authentication) virtually useless, even if a time-based code generator like the Google Authenticator, for instance, is employed.

Picture Credit: https://www.imperva.com/learn/application-security/man-in-the-middle-attack-mitm/

In addition, the malware would also be able to implement a ‘timing attack’. This is significant because an effective timing attack can render encryption as strong as ECDSA (digital signing algorithm), which is one of the cryptographic standards that Bitcoin uses.

 

To be clear, this does not mean that this virus has the ability to compromise Bitcoin itself or even ‘break’ the encryption. Bitcoin was merely mentioned as a familiar reference in this case.

Below is a study published in 2011, by the Aalto University School of Science in Finland that outlines how remote timing attacks can be used to compromise the security of various cryptographic signatures (depending on the efficacy of implementation and how it was implemented):

Remote Timing Attacks are Still Practical.pdf

No Description

Below is a link to a video titled, ‘Infection and removal of Android Malware that uses Accessibility services’ that provides a visual breakdown and explainer of the virus as well:

https://www.youtube.com/watch?v=VCCgc7dib7I

The video provides a visual for those that prefer to receive information in that format.

Methods of Infection and Insertion

The primary platform that Anubis used to infect users was the Google Play store (Android). There are a host of alleged security flaws in the Google Play store that the malware operators were able to exploit in order to infect Android devices via downloads of applications that appeared to be legitimate on the store.

Specifically, the second report notes that Anubis used various disguises such as: “fake mobile games, fake software updates, fake post/mail apps, fake flash-player apps, fake utility apps, fake browsers and even fake social-network and communication apps.”

Targets of Anubis

ThreatFabric lists a total of 378 entities that it determined Anubis was targeting, specifically.

Nearly all of these targets were in the financial sphere in some capacity. Targets included crypto exchanges, traditional banking websites and applications, alternative finance, and other popular applications related to banking, trading, or finance.

Clarifying the Term ‘Target’

To be specific, in this section of the report, the list of ‘targets’ (financial & blockchain applications) does not mean that the entities listed are being attacked directly. The entity that has been compromised in this situation is the infected user device.

However, the virus does not become active until the user decides to visit one of these sites. The virus is programmed to begin executing its script remotely to begin extracting details from users as soon as they visit these sites using one of the many methods that was mentioned in the previous section. Thus, the virus is ‘targeting’ certain sites as the platforms that they wish to infiltrate via compromising the platform’s users first.

Since the majority of Zerononcense’s audience is in the blockchain sphere, the below list will contain targets that Zerononcense identified as blockchain-related entities (the full list can be found here).

Entity names will be posted below with the specific ‘package name’ in parenthesis:

  • Binance (com.binance.dev)
  • Binance: Cryptocurrency & Bitcoin Exchange (com.binance.odapplications)
  • Zebpay India (com.bitcoin.ss.zebpayindia)
  • Bitfinex (com.bitfinex.bfxapp)
  • Aplikacja Bitmarket (com.bitmarket.trader)
  • Blockfolio — Bitcoin and Cryptocurrency Tracker (com.blockfolio.blockfolio)
  • BtcTurk Bitcoin Borsasi (com.btcturk)
  • Coin Profit (com.coin.profit)
  • Coinbase — Buy Bitcoin & more. Secure Wallet. (com.coinbase.android)
  • LocalBitCoins (com.coins.bit.local)
  • LocalBitCoins NEW (com.coins.ful.bit)
  • Crypto App — Widgest, Alerts, News, Bitcoin Prices (com.crypter.cryptocurrency)
  • Bitcoin Blockchain Explorer (com.jackpf.blockchainsearch)
  • Local Bitcoin (com.jamalabbasii1998.localbitcoin)
  • Jaxx Blockchain Wallet (com.kryptokit.jaxx)
  • LocalBitcoins — Buy and sell Bitcoin (com.localbitcoins.exchange)
  • LocalBitCoins Official (com.localbitcoinsmbapp)
  • Coin Market-Bitcoin Prices, Currencies, BTC, EUR, ICO
  • Mycelium Bitcoin Wallet (com.mycelium.wallet)
  • Poloniex (com.plunien.poloniex)
  • Coinbase Tracker (3rd party) {com.portfolio.coinbase_tracker}
  • LocalBitCoins (com.thunkable.android.manirana54.LocalBitCoins)
  • UNBLOCK Local BitCoins (com.thunkable.android.manirana54.LocalBitCoins_unblock)
  • UNOCOIN LIVE (com.thunkable.android.snatoshmehta364.UNOCOIN_LIVE)
  • Coin Portfolio for Bitcoin & Altcoin tracker (com.tnx.apps.coinportfolio)
  • Unocoin Wallet (com.unocoin.unocoinwallet)
  • Blockchain Merchant (info.blockchain.merchant)
  • Delta — Bitcoin & Cryptocurrency Portfoolio Tracker (io.getdelta.android)
  • Blockchain Wallet. Bitcoin, Bitcoin Cash, Ethereum (piuk.blockchain.android)
  • QIWI Wallet (ru.mw)
  • Zebpay Calculator — Profit/Loss Management (wos.com.zebpay)
  • Zebpay Bitcoin and Cryptocurrency Exchange (zebpay.Application)
  • Monero Wallet (xmr.org.freewallet.app)
  • Bitcoin Wallet by Freewallet (btc.org.freewallet.app)
  • BitPay — Secure Bitcoin Wallet (com.bitpay.wallet)
  • BTC.com — Bitcoin Walllet (com.blocktrail.mywallet)
  • Electroneum (com.electroneum.mobile)
  • Bitcoin Wallet Totalcoin — Buy and Sell bitcoin (io.totalcoin.wallet)

In addition to the extensive list of blockchain-related applications that this virus targets, the list of financial extensions affected by this virus is extensive.

Below is a short list (not exhaustive) of some of the major financial institutions that are targeted by the virus:

  • ING Bank
  • HSBC
  • Barclays
  • Chase Mobile
  • Deutsche Bank
  • Bank of Scotland
  • Lloyds Bank
  • Halifax Banking (this is an interesting target)
  • TSBBank
  • Bank of America

This virus heavily targets the banks above as well as others. In addition, the virus targets applications created from these banks for users in other countries and that speak other languages.

Again, the full list (of what is known currently) can be found here: https://www.threatfabric.com/blogs/anubis_2_malware_and_afterlife.html

Diverse Targeting

What makes this virus particularly potent is that it does not discriminate based on one’s country of origin or native language.

Despite the fact that this report is in English, it should not be ignored that there are applications that are targeted that are natively written in:

  • English
  • Spanish
  • Russian
  • Chinese
  • Turkish
  • Polish

Among others.

In addition, it should be noted that the virus is targeting financial institutions that are located on every continent (Antartica excluded).

In specific, the following countries are targeted:

  • Canada
  • United States
  • Panama
  • Brazil
  • Columbia
  • France
  • Poland
  • Germany
  • U.K.
  • Ukraine
  • Russia
  • Turkey
  • China

Among several others.

Conclusion

This report is concluding at this point because of the urgency of the situation.

At the time of writing, there does not appear to be any coverage of this virus or its impact in the blockchain space. At all.

Thus, Zerononcense is waiving all copyright or attribution concerns for this specific report (credit would be greatly appreciated, but this issue transcends this).

Users should take action to protect themselves immediately.

The next report will dig into:

  1. The origin of the virus itself
  2. Methods of detection
  3. Some reliable sources for ATV for Android users (there are some ATV that simply install adware and extract information from users; other ATV is simply ineffective)
  4. Some guidance on actions that users can take after they successfully the malware (if they detected it and successfully removed it)
  5. Safety precautions to take in the future

There will more than likely be additional information included in this report’s follow-up.

For more information and updates, Zerononceense is publishing on the following outlets:

  • Telegram = t.me/Zerononcense
  • Twitter = twitter.com/zerononcense

2 comments on “[ANUBIS VIRUS]: Major Android Virus Attacking Bitfinex, Binance Exchange Apps and Others (Pt. 1)

  1. Hi there. Just curious to know why I have not found this on your Twitter feed at the moment. Regards Steve

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.