Ddos 
Since mid-2022, a dangerous Android banking Trojan known as Zanubis has been on a relentless journey of evolution and expansion. What began as a relatively unsophisticated malware disguised as a PDF reader has now become a multi-layered threat, capable of device hijacking, keylogging, SMS interception, and fake update lockouts—all under the nose of unsuspecting users.
“Zanubis has demonstrated a clear evolution, transitioning from a simple banking Trojan to a highly sophisticated and multi-faceted threat,” warns Kaspersky Labs.
Initially focusing on Peruvian banks and cryptocurrency users, Zanubis has impersonated popular apps—including Peru’s national tax authority (SUNAT)—to infect Android devices. More recent versions spoofed entities in the energy and banking sectors, broadening their reach while sharpening their focus.
“In the latest iteration of the malware, the scope of targeted entities has been significantly narrowed… focusing on banks and financial institutions.”
Zanubis hides behind official-looking apps, often invoices or banking utilities, which manipulate victims into granting accessibility permissions—a critical step for executing overlay attacks and background monitoring. One tactic involved loading a fake document viewer with a button labeled “Ir a Accesibilidad” to redirect victims to the system settings and enable privileges.
“This trick relies heavily on social engineering… leveraging trust in the app’s appearance.”
Once granted access, Zanubis loads a legitimate SUNAT website within a WebView, maintaining the illusion of a real service while running malicious operations in the background.
Zanubis collects contacts, installed apps, device model info, and bypasses battery optimizations to remain active indefinitely. It uses WebSocket and Socket.IO polling loops to communicate with its C2 infrastructure, originally with RC4 encryption, now upgraded to AES-ECB with PBKDF2-derived keys.
Zanubis uses two primary tactics:
- Keylogging: Captures UI interactions like taps and input.
- Screen recording: Monitors user behavior within financial apps.
“When it detected activity related to authentication that needed the input of a PIN, password, or pattern, it attempted to identify the type of authentication being used and captured the corresponding input.”
By setting itself as the default SMS handler, the malware intercepts 2FA codes, deletes messages, and prevents users from restoring normal SMS functionality.
One of Zanubis’ most disruptive features is the “bloqueoUpdate” mechanism—locking the device with a fake system update screen while executing malware routines in the background. Users are unable to interact with or regain control of the device.
“Attempts to lock or unlock the screen were detected and locked, making it nearly impossible for the user to interrupt the process.”
Kaspersky’s telemetry reveals over 30 Zanubis variants uploaded to VirusTotal from Peru in early 2024, each showing increased sophistication. Developers added:
- String and C2 encryption using AES
- Stealth installation using the PackageInstaller class
- Silent dropper payloads hidden inside the app resources
- Device credential tracking, including PIN, password, and pattern capture
Kaspersky believes the attackers are likely based in Peru, citing the consistent use of Latin American Spanish, intimate knowledge of local banking systems, and targeting of Peruvian infrastructure.
Organizations and users alike must reinforce their mobile app vetting, restrict unnecessary accessibility permissions, and monitor for unusual device behavior.
Donate