An Android application which steals PayPal credentials, encrypts files from the device's external storage, and locks the screen using a black screen was spotted in the Google Play Store by ESET malware researcher
Lukas Stefanko.
Behind the app's malicious behavior is an Anubis Android banking Trojan malware payload, a well-known Trojan designed to steal banking credentials, provide its masters with a RAT backdoor, and send SMS spam among other things.
Once the Anubis banking Trojan is dropped by a malware downloader on a victim's compromised device, it starts collecting banking info either with the help of an inbuilt keylogger module or by taking screenshots when the user inserts credentials into apps,
unlike other banking Trojans known to use overlay screens for the same task.
Anubis samples with ransomware features are not new, with Sophos previously
discovering Anubis infected apps in the Play Store during August 2018 with the capability to encrypt files using an .Anubiscrypt file extension —the same extension the malware found by Stefanko used to encrypt his documents.