Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware.

Zanubis, originally documented in August 2022, is the latest addition to a long list of Android banker malware targeting the Latin American (LATAM) region. Targets include more than 40 banks and financial entities in Peru.

Kaspersky said it observed recent samples of Zanubis in the wild in April 2023, operating under the guise of the Peruvian customs and tax agency named Superintendencia Nacional de Aduanas y de Administración Tributaria (SUNAT).

Installing the app and granting it accessibility permissions allows it to run in the background and load the genuine SUNAT website using Android’s WebView to create a veneer of legitimacy. It maintains connections to an actor-controlled server to receive next-stage commands over WebSockets.

The permissions are further leveraged to keep tabs on the apps being opened on the device and compare them to a list of targeted apps. Should an application on the list be launched, Zanubis proceeds to log the keystrokes or record the screen to siphon sensitive data.

What sets Zanubis apart and makes it more potent is its ability to pretend to be an Android operating system update, effectively rendering the device unusable.

“As the ‘update’ runs, the phone remains unusable to the point that it can’t be locked or unlocked, as the malware monitors those attempts and blocks them,” Kaspersky noted.

The development comes as AT&T Cybersecurity detailed another Android-based remote access trojan (RAT) dubbed MMRat that’s capable of capturing user input and screen content, as well as command-and-control.