Anubis¶

Anubis was one of the first Android banking trojans to combine overlay attacks, keylogging, screen recording, SMS interception, and file encryption into a single package. Developed by the actor "maza-in" and sold as a private MaaS operation from late 2017, it set the template for nearly every banking trojan that followed. Its 2019 source code leak seeded multiple successor families, most notably GodFather.

Overview¶

Property	Value
First Seen	Late 2017 (evolved from BankBot codebase published December 2016)
Last Seen / Status	Active development ended ~Q1 2019 (developer arrested); leaked source still reused in campaigns through 2021
Type	Banking trojan, infostealer, ransomware
Attribution	"maza-in" (Russian-speaking developer, arrested March 2019)
Aliases	BankBot Anubis, Android.BankBot.Anubis, Anubis II

Origin and Lineage¶

In December 2016, maza-in published a tutorial titled "Android BOT from scratch" on the exploit.in forum, sharing full source code for both the Android client and the PHP C2 panel. This became the BankBot family. Maza-in continued developing the codebase privately, adding overlay injection, keylogging, and remote access features. By late 2017 the enhanced version was marketed as "Anubis" to a limited set of private buyers.

ThreatFabric's analysis documents how Anubis II diverged from the original BankBot code with substantially expanded capabilities. In early 2019, maza-in vanished from underground forums. The backend code and an unobfuscated APK were leaked publicly in January 2019, enabling any actor to spin up their own Anubis operation. This leak directly influenced the development of GodFather, Ginp, and multiple private forks.

Distribution¶

Anubis operators relied on two primary delivery vectors:

Google Play droppers: Apps disguised as utility tools (flashlight apps, battery savers, currency converters) passed Google Bouncer checks, then downloaded the Anubis payload post-install. ThreatFabric documented how dropper campaigns maintained "normal" app behavior for days before activating, evading automated analysis for months.

Phishing campaigns: SMS and email lures directed victims to fake app download pages. Cofense identified campaigns distributing APKs via phishing emails that mimicked invoice notifications and package delivery alerts.

Some campaigns also used Twitter and Telegram channels to distribute C2 addresses to already-infected devices, decoupling the initial dropper from the active infrastructure.

Capabilities¶

Core Feature Set¶

Capability	Implementation
Overlay injection	Monitors running apps via `UsageStatsManager`, injects phishing WebView over targeted banking/crypto apps
Keylogging	Accessibility Service captures all text input events across the device
Screen recording	MediaProjection API streams device screen to C2
SMS interception	Intercepts, reads, and hides incoming SMS (OTP/2FA theft)
File encryption	RC4-encrypts files on internal/external storage, appends `.AnubisCrypt` extension
SOCKS5 proxy	Routes network traffic through infected device
Sound recording	Records audio via device microphone
File exfiltration	Browses and uploads files from device storage
VNC	Remote device control through accessibility-based interaction
Contact theft	Exfiltrates full contact list
App install/uninstall	Silently installs additional payloads or removes competing malware
Google Play Protect disable	Uses accessibility to navigate settings and disable Play Protect

Version Evolution¶

Version	Period	Key Additions
BankBot (alpha)	Dec 2016	Overlay attacks, SMS interception, basic C2
Anubis 1.x	Late 2017	Keylogging, screen recording, sound recording, SOCKS5 proxy
Anubis 2.0	Mid 2018	VNC remote control, file browser, network proxy
Anubis 2.5	Late 2018	Ransomware module (RC4 file encryption), expanded target list to 300+ apps
Post-leak variants	2019-2021	Various actors added obfuscation, updated target lists, minor feature changes

Permissions¶

Permission	Purpose
BIND_ACCESSIBILITY_SERVICE	Keylogging, VNC remote control, overlay injection, Play Protect disabling
SYSTEM_ALERT_WINDOW	WebView overlay windows for credential phishing
BIND_DEVICE_ADMIN	Device admin privileges for persistence and anti-uninstall
PACKAGE_USAGE_STATS	Monitor foreground apps via UsageStatsManager for overlay triggering
READ_SMS	Read SMS for OTP/2FA theft
RECEIVE_SMS	Intercept incoming SMS
SEND_SMS	Send SMS from victim device
READ_CONTACTS	Contact list exfiltration
READ_EXTERNAL_STORAGE	File browsing and exfiltration, ransomware target
WRITE_EXTERNAL_STORAGE	File encryption (ransomware module)
RECORD_AUDIO	Sound recording via device microphone
READ_PHONE_STATE	Device fingerprinting
INTERNET	HTTP C2 communication and SOCKS5 proxy
RECEIVE_BOOT_COMPLETED	Restart after device reboot
REQUEST_INSTALL_PACKAGES	Silent installation of additional payloads
REQUEST_DELETE_PACKAGES	Remove competing malware

Technical Details¶

C2 Communication¶

Anubis retrieves its initial C2 address from Twitter or Telegram channels, then switches to direct HTTP communication. The bot sends POST requests to the C2 server containing device data encrypted with a key provided by the server during the initial handshake. Commands are polled at regular intervals.

The C2 panel (PHP-based) manages bot registration, overlay injection delivery, command dispatch, and exfiltrated data storage. Operators configure target application lists and overlay HTML/WebView templates through the panel.

Encryption¶

RC4 is used in two contexts:

C2 traffic: Request/response payloads are RC4-encrypted with a server-provided key
Ransomware module: Files on device storage are encrypted with RC4, original files deleted, .AnubisCrypt extension appended. The decryption key is held server-side

Overlay Mechanism¶

When a targeted app launches, Anubis detects it via UsageStatsManager or Accessibility events and immediately pushes a WebView overlay matching the target app's login screen. Credentials entered into the overlay are POSTed to the C2. The overlay HTML is fetched from the C2, allowing operators to update phishing templates without pushing a new APK.

Persistence¶

Anubis requests Device Admin privileges early in the infection chain, preventing easy uninstallation. It also disables Google Play Protect by navigating the settings UI through Accessibility Service actions.

C2 Infrastructure¶

Component	Details
Initial C2 resolution	Twitter or Telegram channels hosting encrypted C2 addresses
Primary protocol	HTTP POST with RC4-encrypted, Base64-encoded payloads
Encryption	RC4 with server-provided key (key exchanged during initial handshake)
Panel	PHP-based web interface for bot management, overlay delivery, command dispatch
Overlay hosting	WebView HTML templates served from C2, updatable without new APK
SOCKS5 proxy	Infected devices used as network proxies for traffic routing
Dead drop resolvers	Twitter and Telegram used as fallback C2 channels

Target Regions and Financial Institutions¶

Anubis campaigns targeted financial apps across a broad geographic range, with concentration in:

Region	Notable Targets
Europe	Banks in France, Germany, Spain, Italy, Poland, Turkey
North America	Wells Fargo, Chase, Citibank, Bank of America
Australia	Major Australian banking apps
Middle East	Turkish banking apps (primary early targets)
Crypto	Coinbase, Blockchain.com, various wallet apps

At peak operation, Anubis maintained overlay templates for over 394 financial applications, including banking, cryptocurrency, and e-commerce apps like eBay and Amazon.

Notable Campaigns¶

Early 2018, Google Play dropper wave: Multiple utility apps on Google Play distributed Anubis payloads. ThreatFabric tracked a botnet of over 5,400 infected devices with 276 harvested banking credential sets from a single C2 server, targeting 420+ banking apps.

Mid 2019, Cofense phishing campaign: Cofense researchers identified a large-scale email phishing operation targeting 250+ Android apps. The campaign delivered APKs via fake invoice emails and combined credential theft, keylogging, and ransomware capabilities in a single payload.

July 2021, Orange S.A. impersonation: A Lookout-identified campaign masqueraded as the official Orange telecom app and was submitted to Google Play. The variant expanded its target list to 394 unique apps including banking, reloadable card, and cryptocurrency applications.

Late 2021, post-leak resurgence: Bleeping Computer reported that Anubis-based variants returned with updated obfuscation and expanded targeting, demonstrating the long tail of the source code leak.

Detection¶

Indicator Type	Details
Device Admin request	App requesting device administrator privileges without legitimate MDM purpose
Play Protect disabling	Accessibility actions navigating to Google Play Protect settings to disable it
Twitter/Telegram C2	Network connections to Twitter or Telegram to resolve C2 addresses
`.AnubisCrypt` files	Files with the `.AnubisCrypt` extension on device storage (ransomware module active)
RC4-encrypted HTTP traffic	POST requests with RC4-encrypted payloads to non-standard endpoints
UsageStatsManager polling	App monitoring foreground application changes at high frequency
SOCKS5 proxy	Device routing external traffic through a SOCKS5 tunnel

Family	Relationship
BankBot	Direct predecessor. Maza-in published BankBot source in December 2016 and continued private development into Anubis.
GodFather	Primary successor. Built on the leaked Anubis source code with updated obfuscation, target lists, and evasion techniques.
Cerberus	Contemporary banking trojan that shared the MaaS model and overlay approach. Cerberus source leaked in 2020, spawning its own lineage (Ermac, Hook).
Ginp	Borrowed code directly from the leaked Anubis source.