Anubis Strikes Again: Mobile Malware Continues to Plague Users in Official App Stores

** This post was written with mobile threat researchers Shachar Gritzman and Nethanella Messer **

IBM X-Force mobile malware researchers have observed several developers actively uploading Android malware downloaders to the Google Play Store.

Following ongoing campaigns against Google Play, our research team has been monitoring banking malware activity in official app stores. The team recently reported that downloader apps in the store are being used as the first step in an infection routine that fetches the Marcher (aka Marcher ExoBot) and BankBot Anubis mobile banking Trojans. Users who unknowingly install the app on their devices are subsequently infected. Cybercriminals use these banking Trojans to facilitate financial fraud by stealing login credentials to banking apps, e-wallets and payment cards.

Starting in June, our team discovered a number of new malware downloader samples that infect users with BankBot Anubis (aka Go_P00t). The campaign features at least 10 malicious downloaders disguised as various applications, all of which fetch mobile banking Trojans that run on Android-based devices. While the number of downloaders may seem modest, each of those apps can fetch more than 1,000 samples from the criminal’s command-and-control (C&C) servers.

Finding new downloaders in the app store in connection with the BankBot Anubis malware could suggest that:

• A given malware distributor/cybercrime faction has shifted from using Marcher to distributing BankBot Anubis; or
• The threat actors distributing the malware on Google Play are offering their “expertise” as a service, spreading malware downloaders for different cybercrime factions that use mobile Trojans to facilitate financial fraud — aka “downloader-as-a-service.”

Such cybercrime services are common in the fraud and malware black markets. They entail a proven ability to infiltrate Google Play and plant malicious downloaders under the guise of benign-looking apps. These services can likely maintain the downloader’s C&C servers long enough to generate a steady stream of new infections, suggesting the thought-out operational security and know-how characteristic of organized cybercrime groups.

Want to learn more about this cybercrime trend? Check out the original blog post here.