Anubis Malware

Anubis began as a banking trojan targeting Android devices. However, it has gained additional functionality over time, including remote access trojan (RAT) features, keylogging, audio recording, and ransomware features. Anubis is commonly distributed as part of malicious apps available on the Google Play Store. In October 2022, it was the most prevalent malware targeting mobile devices, beating out Hydra and Joker.

Request a Demo Get the Security Report

Types of Anubis malware

The source code of the Anubis banking trojan is freely available and open source. This allows various groups to download, customize, and use the mobile malware for their purposes. Anubis malware is delivered via a variety of means, including:

  • Malicious Websites: Anubis is commonly distributed via malicious websites that claim to be associated with legitimate organizations. These pages commonly promote downloading a file, which is actually the Anubis malware.
  • Phishing Messages: Anubis can also be distributed via phishing messages. These messages may contain links to malicious web pages or include attachments containing the Anubis malware.
  • Malicious applications on Google Play: These applications can be fake mobile games, fake software updates, fake utility applications , fake browsers, and even fake social-network and communication applications

The Threat

As open-source malware, Anubis is used by a variety of different cybercrime gangs. These groups have access to a wide range of functionality and pose significant threats to mobile security. Some of the malware’s malicious capabilities include the following:

  • Credential Theft: As a banking trojan, credential theft is a common goal for Anubis. Like other apps, Anubis abuses accessibility services to capture passwords to gain access to sensitive applications and websites.
  • SMS Interception: Anubis has the ability to read and send SMS messages. This allows the malware to collect sensitive information and intercept the one-time passwords (OTPs) used for multi-factor authentication (MFA).
  • Keylogging: The Anubis malware is able to capture the keystrokes recorded on the device. Keylogging allows the malware to collect passwords and other sensitive data typed into the device.
  • Audio Recording: Anubis has access to the device microphone. This allows the malware to capture audio, which could be used to collect sensitive information or material for extortion.
  • Screen Capture: The Anubis malware can capture screenshots from infected devices. These screenshots can be used to collect sensitive information displayed in other applications.
  • Ransomware: Anubis can lock smartphones, denying users access to their devices. The malware displays a ransom note demanding payment to unlock the device.
  • File Theft: Anubis can scan the filesystem of an infected device. If it identifies files of interest, it sends them to the attacker.
  • Location Tracking: Anubis has access to the device’s GPS and pedometer. This allows the attacker to track the user’s movements and activities.

How to Protect Against Anubis Malware

Anubis poses a significant threat to Android device security. However, companies and mobile device users can take various actions to protect against the malware, including the following:

  • Beware of Phishing: Anubis is commonly distributed via phishing, including emails, SMS, and websites. Be cautious about links in messages and email attachments, especially on mobile devices.
  • Validate App Authenticity: Anubis is a malicious application that is commonly sideloaded, bypassing the security offered by legitimate app stores. Only download apps from legitimate app stores and validate their authenticity before installing.
  • Limit Mobile App Downloads: Any mobile application could potentially include malicious functionality. Limiting the number of apps installed on mobile devices reduces the potential for installing mobile malware.
  • Restrict App Permissions: Malicious applications like Anubis commonly request multiple permissions, granting them extensive access to infected devices. Limiting permissions helps to reduce the potential risk posed by mobile malware.
  • Use Mobile App Security Solutions: Mobile security solutions can help to block malicious downloads and identify malicious apps. Mobile security solutions should be installed and kept up-to-date on corporate devices.
  • Implement Strong MFA: Anubis can intercept SMS OTPs used for MFA and attempts to steal login credentials for online accounts. Using strong forms of MFA reduces the risk that mobile malware poses to account security.
  • Enforce Least Privilege: The principle of least privilege states that access and permissions should be restricted to those that a user, device, or app requires to do its job. Restricting permissions limits the damage that a compromised mobile device can do.

Anubis Mobile Malware Protection with Check Point

Anubis malware is a leading threat to Android mobile devices. However, it is far from the only malware that companies face. Learn more about the current state of the cyber threat landscape in Check Point’s 2023 Cyber Security Report.

Remote work demands comprehensive protection for remote employees’ devices, including mobile devices. Check Point Harmony Mobile offers prevention-focused mobile security, including access to threat intelligence about emerging attack campaigns from Check Point Threat Cloud. To learn more about how Check Point Harmony Mobile can protect your organization’s devices against Anubis and other cyber threats, sign up for a free demo today.


This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.