Skip to content

Anubis

Also known as: BankBot, android.bankbot, android.bankspy

BleepingComputer found that Anubis will display fake phishing login forms when users open up apps for targeted platforms to steal credentials. This overlay screen will be shown over the real app's login screen to make victims think it's a legitimate login form when in reality, inputted credentials are sent to the attackers.

In the new version spotted by Lookout, Anubis now targets 394 apps and has the following capabilities:

Recording screen activity and sound from the microphone

Implementing a SOCKS5 proxy for covert communication and package delivery

Capturing screenshots

Sending mass SMS messages from the device to specified recipients

Retrieving contacts stored on the device

Sending, reading, deleting, and blocking notifications for SMS messages received by the device

Scanning the device for files of interest to exfiltrate

Locking the device screen and displaying a persistent ransom note

Submitting USSD code requests to query bank balances

Capturing GPS data and pedometer statistics

Implementing a keylogger to steal credentials

Monitoring active apps to mimic and perform overlay attacks

Stopping malicious functionality and removing the malware from the device

C2 Infrastructure

Hosting/VPS 100%

Last 7 days

Jul 4, 2026
C2 Hosts: 1

Further Reading

b0n1.blogspot.de opens in a new tab
b0n1.blogspot.de
blog.koodous.com opens in a new tab
blog.koodous.com
blog.koodous.com opens in a new tab
blog.koodous.com
0x1c3n.tech opens in a new tab
0x1c3n.tech
assets.virustotal.com opens in a new tab
assets.virustotal.com
blog.trendmicro.com opens in a new tab
blog.trendmicro.com
bushidotoken.blogspot.com opens in a new tab
bushidotoken.blogspot.com
cocomelonc.github.io opens in a new tab
cocomelonc.github.io
community.riskiq.com opens in a new tab
community.riskiq.com
eybisi.run opens in a new tab
eybisi.run
info.phishlabs.com opens in a new tab
info.phishlabs.com
intel-honey.medium.com opens in a new tab
intel-honey.medium.com
intel471.com opens in a new tab
intel471.com
labs.bitdefender.com opens in a new tab
labs.bitdefender.com
muha2xmad.github.io opens in a new tab
muha2xmad.github.io
n1ght-w0lf.github.io opens in a new tab
n1ght-w0lf.github.io
pentest.blog opens in a new tab
pentest.blog
securelist.com opens in a new tab
securelist.com
securityaffairs.co opens in a new tab
securityaffairs.co
securityboulevard.com opens in a new tab
securityboulevard.com
securityintelligence.com opens in a new tab
securityintelligence.com
sysopfb.github.io opens in a new tab
sysopfb.github.io
fortinet.com opens in a new tab
fortinet.com
fortinet.com opens in a new tab
fortinet.com
threatfabric.com opens in a new tab
threatfabric.com
threatfabric.com opens in a new tab
threatfabric.com
welivesecurity.com opens in a new tab
welivesecurity.com
youtube.com opens in a new tab
youtube.com