Anubis

Anubis

Although no longer officially supported since the conviction of its author, Anubis is still a common choice of criminals when it comes to Android banking malware. Since both client and server source code are publicly accessible for free, this does not come as a surprise. Some of the new users even made changes to it, fixing the bugs and gradually improving some aspects of the Trojan to sell or rent it in underground forums.

Even though some changes have been observed in certain Anubis campaigns, no major changes have been introduced by those secondary sellers. Most changes are either fixes of known issues or improvements of existing features (such as automatic disabling of Google Play Protect). In January 2020 a new sales post appeared in some underground forum offering a modified version of Anubis 2.5 actually promising a RAT feature:

Anubis RAT post

Translation:

Additionally, at the moment we develop VNC (commonly used as a synonym for RAT in the malware community). It will be implemented in the coming month. Persons, who supported the service by purchasing the bot, will be granted a chance to work as our partners, build will cost around 15k. Maybe a little less.

With VNC implemented, bot will install an app from the Google Play store on the victim's device and after that you will get an access code. The victim will be able to see when you are accessing the device, it is not possible to hide that process in Android. However, we will add the feature that will allow disabling the screenlock. If the screen of the device is locked, bot will receive the command to unblock the device. After that you can connect to the phone and perform necessary transactions. It should be OK for nighttime; you shouldn't have any problems.

I accept your requests to add any feature to the bot. We will discuss prices individually. Injects will happen once in 3-4 months.

Judging by this humble and not very technical description, it seems that the actors behind this post chose an implementation similar to how Cerberus is offering its RAT feature: using a third-party application to control the infected device. Although this statement should be taken with caution (there is no honor among the thieves), there is a high chance we will see new variants of the Anubis Trojan offering a fully-fledged RAT, keeping the malware relevant in the current threat landscape.