My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets



Added to the Dr.Web virus database: 2018-03-21

Virus description added:

SHA1 packed:

  • e6714a332e58e7e92b4eb72c7db8756253538cc0

SHA1 unpacked:

  • 49dd6e33d64835152152b09b763e3603395b99de

A banking Trojan for Android OS, also known as Anubis. Distributed and disguised as an innocuous program. Based on the source code of the malicious application Android.BankBot.149.origin.

The Trojan can receive the following commands from the managing server:

  • Send SMS – sending SMS messages containing a defined text to the number specified in the command;
  • Start USSD – executing USSD-request;
  • Get all SMS – sending copies of SMS messages stored on the device to the managing server;
  • Get all installed applications – receiving information about applications installed;
  • Show message box – showing a dialog box with the text specified in the command;
  • Show push notification – showing push notifications whose contents are specified in the command;
  • Automatically show push notification – showing push notifications whose contents are set in the Trojan's code;
  • Start fake-locker – blocking the screen of the device window WebView, which showed the content received from the server web page;
  • Get number from phone book – sending all the numbers from the contact list to the server;
  • Sending SMS to your contacts – sending SMS messages to all numbers from the contact list;
  • Request permission for injection – requesting permission to access data;
  • Request permission for geolocation – requesting permission tor access device location;
  • Start Accessibility Service – requesting access to accessibility features (Accessibility Service);
  • Get all permissions – checking the availability of the additional permissions for functioning;
  • Start permission – requesting access to additional permissions;
  • Get IP Bot – determining an IP address of the infected smartphone or tablet;
  • Kill Bot – cleaning up its configuration file and stopping own work.

News about the Trojan

Curing recommendations


  1. If the mobile device is operating normally, download and install Dr.Web for Android Light. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web для Android Light onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android