Android apps use the motion sensor to evade detection and deliver Anubis malware

Security experts from Trend Micro have recently spotted two Android apps that use the motion sensor to evade detection and spread the Anubis banking Trojan.

Malware authors continue to improve their malicious apps to avoid detection and infect the largest number of users.

Security experts from Trend Micro have recently spotted two Android apps in the Google Play Store, Currency Converter and BatterySaverMobi, that infected thousands of users with banking malware.

Currency Converter masquerade as a currency exchange app and
BatterySaverMobi as a battery saver app, both use motion-sensors of infected Android devices to evade detection. The inputs from the sensors are used before installing a banking Trojan dubbed Anubis.

With this trick, vxers attempt to avoid detection because the malicious code is able to detect the absence of the motion sensor in the emulators used by researchers to detect the malware.

“We looked into this campaign and found that the apps dropped a malicious payload that we can safely link to the known banking malware Anubis (detected by Trend Micro as ANDROIDOS_ANUBISDROPPER ).”
“These apps don’t just use traditional evasion techniques; they also try to use the user and device’s motions to hide their activities. ” reads the analysis published by Trend Micro.

“As a user moves, their device usually generates some amount of motion sensor data. The malware developer is assuming that the sandbox for scanning malware is an emulator with no motion sensors, and as such will not create that type of data. If that is the case, the developer can determine if the app is running in a sandbox environment by simply checking for sensor data.”

The infection process doesn’t start if the malware determines that the device and the user are still by analyzing the sensor data.

If the app discovers the sensor data it runs the malicious code and then attempts to trick the victims into downloading and installing the Anubis payload APK with a fake system update. masquerading it as a “stable version of Android.”

If the user accepts the bogus system update, the dropper uses requests and responses over legitimate services such as Twitter and Telegram downloads the Anubis banking Trojan from the C2 and install it.

“Then, it registers with the C&C server and checks for commands with an HTTP POST request. If the server responds to the app with an APK command and attaches the download URL, then the Anubis payload will be dropped in the background.” continues the analysis.

Experts pointed out the Anubis banking Trojan uses a built-in keylogger to steal credentials and it is also able to take screenshots of the users’ screen while inserting credentials into any banking app.

Experts observed infections in 93 different countries, the latest variant of the Anubis banking Trojan targets at least 377 variations of financial apps.

The banking Trojan is also able to access to contact lists and location, send spam messages to contacts, call numbers from the device, record audio, and alter external storage.

Further details on the malware, including IoCs are reported in the analysis published by Trend Micro.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Anubis banking Trojan, motion sensor)

[adrotate banner=”5″]

[adrotate banner="13"]