AnubisSpy Malware: Stealing photos, videos & spying on Android users

Android devices seem to be the most preferred target for hackers as there have so far been multiple incidents involving malware, ransomware and cryptocurrency miner apps designed to infect Android devices. Now, security experts have identified a new Android malware that has been dubbed as AnubisSpy.

This particular malware targets Arabic speaking users and its primary attack domain seems to be the Middle East. Researchers have linked this malware with the Sphinx cyberespionage campaign, which was discovered in 2014-15 and launched by the APT-C-15 group, mainly because it also targeted users across the Middle East.

More: Loapi malware physically damages Android devices 

The malware was discovered by Trend Micro’s Mobile Threat Response Team and their findings were disclosed on December 19th. According to their research, AnubisSpy is equipped with wide-range data-stealing capabilities and it can also spy upon the user’s activities.

Trend Micro’s team assessed seven apps on Google Play and third-party marketplaces and found them to be containing AnubisSpy. These apps were written in Arabic language and were found to be related to Egypt such as some apps showcased Middle Eastern news and Egyptian television show. The apps had fake Google certificates and were installed only in a handful of countries.

“The apps mainly used Middle East-based news and sociopolitical themes as social engineering hooks and abused social media to further proliferate. Versions of AnubisSpy posed as social news, promotional, healthcare, and entertainment apps,” explained Trend Micro’s researchers in their blog.

Structure of AnubisSpy’s modules (Image: TrendMicro)

AnubisSpy can steal SMS messages, contacts, photos, videos, email accounts, Samsung and Chrome internet browser histories and can also capture screenshots and configuration files of Twitter, Facebook, Skype and WhatsApp due to which it is capable of spying on these apps. It can also self-destruct to hide its tracks and delete the data on infected devices.

The file structures, JSON file decryption method, C&C server, and targets have a stark resemblance to the Sphinx campaign. It is possible that the authors of AnubisSpy malware are also the operators of Sphinx campaign or they might be other actors.

As far as the malicious apps are concerned, researchers stated that these were being launched since April 2015 and their latest variant was released in May 2017. Google was contacted by Trend Micro regarding the presence of malicious apps on 12 Oct 2017 and was requested to update Google Play Protect.

“While cyber espionage campaigns on mobile devices may be few and far between compared to ones for desktops or PCs, AnubisSpy proves that they do indeed occur, and may have been more active than initially thought,” noted Trend Micro researchers.

More: Dune! Game App Leaking Sensitive Data of Millions of Android Users


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.