‘Anubis’ malware steals money posing as Google Play official app, cybersecurity experts warn

Malware designed to steal login information for banking apps, e-wallets, and payment cards from smartphones has found its way onto the Google Play Store, posing as a legitimate app, cybersecurity experts have uncovered.

The Anubis malware – apparently taking its name from Anubis, the ancient Egyptian god of the dead – lures in victims by pretending to offer services ranging from online shopping to live stock market monitoring.

It’s believed that at least 10,000 people have downloaded the malicious app – although it’s unknown how many Android users have subsequently been infected with the malware.

Once granted accessibility rights by the user, the malicious program uses keylogging to record login details for banking apps. Anubis can also take screenshots of the user’s display.

Researchers at IBM X-Force, who discovered the malware in June, said that the fact that the Anubis is able to pose as a legitimate app suggests “a large investment of resources on the part of the campaign’s operator.”

“Such cybercrime services are common in the fraud and malware black markets. They entail a proven ability to infiltrate Google Play and plant malicious downloaders under the guise of benign-looking apps,” the security experts said in their blog.

According to the researchers, the malware’s developers – believed to be located in Turkey – regularly tweak the code to ensure that it isn’t detected by Google Play’s security controls. The regular updates also point to the theory that Anubis was developed by a sophisticated and well-resourced criminal group.

The team of IBM cybersecurity specialists said that the malware appears to specifically target Turkish users, but the malicious code can also be used to steal from users in countries around the world, including the US, UK, and Australia.