Anubiscrypt is an Android Trojan virus. It gets its AnubisCrypt name from the file extension that it appends to the encrypted files, but AnubisCrypt is more than just crypto ransomware. It is also a screen locker and spyware, hiding in apps on the Play store.
Usually, Windows is the operating system thought of as vulnerable to ransomware and other malware. This has mostly been true, but the reason was that Windows is the most popular desktop operating system, thus the biggest target. The mobile market is growing, though, and people are increasingly using their phones for important tasks, like banking and online shopping. And Android is around 75% of the mobile market worldwide, which is why cybercriminals are paying more attention to Android devices.
How dangerous is AnubisCrypt?
Ransomware
Another Android ransomware, DoubleLocker, was a virus app that was both types of ransomware: crypto and screen locker. That ransomware was an app downloaded from not from the Play Store, but from some other site. The AnubisCrypt virus, however, hides in apps on the Play store, and is much more dangerous than just ransomware.
Like DoubleLocker before it, AnubisCrypt both encrypts the files on the device, as well as locks the screen. The screen locker scares people by displaying a fake warning about how the user was doing illegal things on their phone and how they need to pay a fine. Other versions of AnubisCrypt just show a blank screen. Analysts are saying that this part of the virus is still in development.
Crypto-Banking Ransomware found on Google Play
Once it lured my PayPal credentials it encrypted my files on external medium and locked my device with black screen. #Anubis pic.twitter.com/kgSfIpUAWC
— Lukas Stefanko (@LukasStefanko) April 8, 2019
AnubisCrypt also encrypts the files. In theory, the files should be recoverable, if the decryption key for each encryption was known. It is not, though, and there doesn’t yet exist a way to get it. Normally crypto ransomware asks for money in exchange for recovery of the files, so this is probably what the developers of AnubisCrypt are planning for the future of their virus. For now, though, the encryption seems practically irreversible.
Spyware
Keylogging is one thing that AnubisCrypt does. Keylogging means it can monitor the victim’s typing. This includes private messages, as well as passwords. The virus can record that info and then send it to a server.
It also works as a Banking Trojan. The developers of AnbisCrypt can use the virus to monitor which banking apps the victim has on their phone, and then create a fake login screen for those apps. These fake login screens are used to steal login names and passwords. This is called phishing, and it affects mobile apps as well as websites.
This virus might send SMSs (because AnubisCrypt can also send, read, and intercept SMSs) to trick the users into logging into their bank through their apps so that AnubisCrypt present their phishing overlays to the victim. Even more, the virus can give hackers access to the infected phone’s files and sound recording through its remote access trojan (RAT) ability — a huge privacy breach.
AnubisCrypt is a Jack of all trades of the virus world. There is a very detailed article here.
How does this virus spread?
It comes in some apps from the Google Play Store. The apps can be fake, just there for downloading the virus and then prompting you to download the real app, pretending that it’s an update. If you went ahead with that and then checked your settings for the list of your apps, you would see two versions of the same app. The virus app would ask you for permissions and install more fake apps that pretend to be legitimate, like “System Update” or something similar. This all can make it really difficult to know which app is a virus. On top of that, AnubisCrypt can prevent you from uninstalling the virus.
There are many different Play store apps that include this trojan, and new ones are being added. It’s possible that the virus is being spread by multiple different distributors who are separate from the developers. Like a virus affiliate marketing campaign. All that can be said is that people should be careful and skeptical when choosing an app to download. Research it outside of the Play store, check that the app is not masquerading as another one. Check if the reviews are genuine and if their number is realistic in relation to the number of installs.
How to remove the AnubisCrypt virus
You can get around the AnubisCrypt screen locker by booting your phone into safe mode (we have instructions in this post). For now, you can access your phone’s settings again. To remove the virus you can go to the settings, find the app that is actually the virus, and uninstall it. Unfortunately, this will not fix the encrypted files.
If uninstalling doesn’t work, you can do a factory reset. This will remove all of your data, but since the files are encrypted anyway, maybe doing a factory reset is worth it for the guarantee that the virus is completely gone.
There’s a backup feature in Google Drive, which can make the loss of files less devastating, but it is still important to make backups of your most important files. And even though the AnubisCrypt virus is distributed on the Google Play store, the store is still the safest way to get your apps. The apps there are scanned for malware, it’s just that AnubisCrypt is rather sophisticated and uses some social engineering to trick Android users. Be careful about giving apps permissions, and about downloading suspicious apps. You might also want to use antivirus for Android, if you don’t already.