Anubis 8.0

The mobile malware landscape has become increasingly dangerous with the emergence of sophisticated banking trojans that target financial applications across multiple platforms. Among these threats, a particularly advanced strain has evolved through multiple iterations to become one of the most pervasive mobile banking malware families in circulation. Anubis 8.0 exemplifies the growing trend of cross-platform financial threats that combine traditional banking trojan capabilities with advanced ransomware features, creating a dual-threat payload that can both steal credentials and lock devices. Its modular architecture and frequent updates make it especially difficult to detect and analyze, posing significant risks to both individual users and financial institutions.

This malware is a feature-rich banking trojan primarily targeting Android devices, though newer versions have expanded to other platforms. It operates as a malicious overlay application designed to steal banking credentials, credit card information, and sensitive personal data. Typically distributed through fake app stores, malicious advertisements, and smishing campaigns, it is commonly used in financial fraud operations, identity theft, and as a precursor to ransomware attacks. The Anubis 8.0 is a significant evolution from previous iterations, incorporating new evasion techniques and expanded targeting capabilities that make it particularly dangerous in the current threat landscape.

Key Features of Anubis 8.0

Feature	Description
Overlay Attacks	Displays fake login screens over legitimate banking apps
Keylogging	Captures all keyboard input including passwords and PINs
SMS Interception	Reads and sends SMS messages to bypass 2FA
Remote Control	Allows attackers to take control of infected devices
Ransomware Module	Encrypts device files and demands payment
Anti-Detection	Uses multiple techniques to evade mobile security solutions
Accessibility Abuse	Exploits Android accessibility services for persistent access
Target List	Contains over 500 financial applications worldwide
C2 Communication	Uses encrypted channels with fallback mechanisms

How Anubis 8.0 Works

Infection Vector

The malware typically spreads through:

Fake Application Packages: Disguised as legitimate apps or utilities
Smishing Campaigns: Malicious links sent via SMS messages
Third-Party Stores: Distributed through unofficial app marketplaces
Malvertising: Drive-by downloads from compromised ad networks

Upon installation, the malware:

Requests extensive permissions (accessibility services, SMS, overlay)
Hides its icon from the app drawer to prevent removal
Connects to command and control (C2) servers for configuration

Core Malicious Functionality

Overlay Attack Mechanism:
- Monitors for launches of targeted banking apps
- Displays identical-looking fake login screens
- Captures entered credentials and transmits to C2
SMS Fraud Capabilities:
- Intercepts incoming SMS messages (including 2FA codes)
- Can send premium-rate SMS messages without user knowledge
- Block security-related SMS alerts from banks
Remote Access Features:
- Allows attackers to remotely control the device
- Can initiate USSD commands for financial fraud
- Enables real-time screen viewing and interaction
Ransomware Component:
- Encrypts user files with strong cryptography
- Displays ransom demands threatening data loss
- Can lock the device completely until payment

Evasion and Persistence Techniques

Code Obfuscation: Uses advanced packing and encryption
Dynamic Loading: Downloads malicious modules after installation
Anti-Emulation Checks: Detects and behaves differently in analysis environments
Update Mechanism: Can receive new configurations and target lists
Persistence: Maintains access through accessibility service abuse