What is AnubisSpy? New Android malware steals, spies and self-destructs to hide its tracks

A new Android malware dubbed AnubisSpy has been discovered by security experts, targeting Arabic-speaking users in the Middle East. The malware has extensive data-stealing capabilities and can also spy on victims' activities. AnubisSpy has been linked to a long-term cyberespionage campaign called Sphinx that also targeted users in the Middle East.

The Sphinx campaign is believed to be the work of APT-C-15 hacker group. Between 2014 and 2015, APT-C-15 hackers targeted political and military organisations in Egypt, Israel and other Middle Eastern countries, stealing sensitive information. Security experts believe that the same cyberespionage threat group is also behind AnubisSpy.

According to security experts at Trend Micro, who discovered AnubisSpy, the malware posed as legitimate app on Google Play as well as other third-party app stores. Researchers spotted seven apps that were actually AnubisSpy, along with two other experimental malware-laced apps, which researchers suspected were also created by the same hackers. Some of the malicious apps were created as far back as 2015, while the latest variant was created in May this year.

"These apps were all written in Arabic and, in one way or another, related to something in Egypt (i.e., spoofing an Egypt-based TV program and using news/stories in the Middle East) regardless of the labels and objects in the apps," Trend Micro researchers said in a blog. "The apps mainly used Middle East-based news and sociopolitical themes as social engineering hooks and abused social media to further proliferate. Versions of AnubisSpy posed as social news, promotional, healthcare, and entertainment apps."

What can the AnubisSpy malware do?

The AnubisSpy malware can steal photos, videos, contacts, email accounts, SMS, browser histories and calendar events. The malware is also capable of taking screenshots, and record audio data, including calls. The malware can also spy on victims' social media activities, including spying on apps such as WhatsApp, Facebook, Skype and Twitter, among others.

The malware has also been designed to delete files on infected devices and can self-destruct to hide its tracks.

Trend Micro researchers said that they informed Google about AnubisSpy on 12 October and worked with the tech giant to further analyse the malware and take action against malicious apps.

Researchers also suggested that going forward, the mobile platform could become cyberespionage actors' primary frontier. Such a shift may be highly likely given how over the past year, other forms of cybercrime, such as ransomware, also migrated from PC-oriented attacks to targeting mobile users.

"While cyberespionage campaigns on mobile devices may be few and far between compared to ones for desktops or PCs, AnubisSpy proves that they do indeed occur, and may have been more active than initially thought," Trend Micro researchers said.