Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware.

“Zanubis’s main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device,” Kaspersky said in an analysis published last week.

Zanubis, originally documented in August 2022, is the latest addition to a long list of Android banker malware targeting the Latin American (LATAM) region. Targets include more than 40 banks and financial entities in Peru.

It’s mainly known for abusing accessibility permissions on the infected device to display fake overlay screens atop the targeted apps in an attempt to steal credentials. it’s also capable of harvesting contact data, list of installed apps, and system metadata.

Kaspersky said it observed recent samples of Zanubis in the wild in April 2023, operating under the guise of the Peruvian customs and tax agency named Superintendencia Nacional de Aduanas y de Administración Tributaria (SUNAT).

Installing the app and granting it accessibility permissions allows it to run in the background and load the genuine SUNAT website using Android’s WebView to create a veneer of legitimacy. It maintains connections to an actor-controlled server to receive next-stage commands over WebSockets.

The permissions are further leveraged to keep tabs on the apps being opened on the device and compare them to a list of targeted apps. Should an application on the list be launched, Zanubis proceeds to log the keystrokes or record the screen to siphon sensitive data.

What sets Zanubis apart and makes it more potent is its ability to pretend to be an Android operating system update, effectively rendering the device unusable.

“As the ‘update’ runs, the phone remains unusable to the point that it can’t be locked or unlocked, as the malware monitors those attempts and blocks them,” Kaspersky noted.

The development comes as AT&T Cybersecurity detailed another Android-based remote access trojan (RAT) dubbed MMRat that’s capable of capturing user input and screen content, as well as command-and-control.

“RATs are a popular choice for hackers to use due to their many capabilities from reconnaissance and data exfiltration to long-term persistence,” the company said.