These malicious Android apps will only strike when you move your smartphone

Apps containing the Anubis banking Trojan and an interesting motion sensor have been found in the Google Play store.
Written by Charlie Osborne, Contributing Writer

Malicious Android apps have been uncovered in the Google Play store which will only trigger when a smartphone moves, researchers say.

On Thursday, the cybersecurity team from Trend Micro said that the two apps in question were disguised as services that many of us would find useful, a currency converter and power saver.

The applications were named Currency Converter and BatterySaverMobi. In the latter case, the app received 4.5 stars from 73 reviewers and has been downloaded over 5,000 times, but the researchers believe these ratings may have been fraudulent.


The malicious apps deploy a banking Trojan called Anubis, but it is how the payload deploys which is of real interest.

Currency Converter and BatterySaverMobi attempt to use the victim's device and sensors to avoid detection. When users move their device, this generates motion sensor information.

The applications monitor the device they have been installed on for this sensor data, and if detected, will then deploy Anubis.

However, if no motion is detected, this could indicate the device is actually an emulator or sandbox environment and one in which the malicious code could be picked apart by researchers. As a result, the app will not attempt to deploy its payload if there is no movement.

If sensors do generate motion data then the malicious apps will spring and attempt to trick the user into downloading and installing the Anubis Trojan by way of an APK and fake system update message.


The code is "strikingly similar" to known Anubis samples and connects to a command-and-control (C2) server hosted on domains also linked to the banking Trojan. The server is hidden by being encoded into Telegram and Twitter webpage requests.

"These domains change IP addresses quite frequently and may have switched six times since October 2018, showing just how active this particular campaign is," the researchers note.

See also: Android security: Password-stealing malware sneaks in Google Play store in bogus apps

If the intended victim allows the app to download its APK and execute, the banking Trojan will set to work.

A built-in keylogger records keystrokes and the malware is also able to take screenshots covertly, of which both are ways to potentially steal banking credentials.

However, the malware also gains access to contact lists, location data, and is able to record audio, send SMS messages, make calls, and tamper with external storage. These powers offer threat actors the opportunity to spread to other victims via spam messages and fraudulent calls.

Researchers from Quick Heal Technologies have also suggested that Anubis has the capability to act as ransomware.

This information is then sent to the Anubis operators through the C2 server.

TechRepublic: How to connect to VNC using SSH

It was back in June when a previous Anubis campaign was unearthed by IBM X-Force researchers. A malicious app called "Google Protect," alongside fake shopping and stock market apps masked the Anubis malware deployed for the same goal -- to steal banking credentials.

Trend Micro says the latest version of Anubis in the wild has been distributed to 93 countries and attempts to extract account credentials relating to 377 financial apps, potentially belonging to everything from banks to other financial services.

CNET: Apple's Tim Cook calls for new regulations to protect your personal data

"Gaps in mobile security can lead to severe consequences for many users because devices are used to hold so much information and connect to many different accounts," Trend Micro says. "Users should be wary of any app that asks for banking credentials in particular and be sure that they are legitimately linked to their bank."

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards