Zanubis Android Malware Harvests Banking Credentials and Executes Remote Commands

The Zanubis Android banking Trojan has evolved into a highly sophisticated threat, initially targeting financial institutions in Peru before expanding its scope to virtual cards and cryptocurrency wallets.

This malware, known for impersonating legitimate Peruvian Android apps, tricks users into granting accessibility permissions, thereby enabling extensive data theft and remote control capabilities.

Evolution of a Sophisticated Threat

Over the years, Zanubis has undergone continuous development, with threat actors refining its code, enhancing obfuscation techniques, and introducing new features to accelerate infection rates.

From its early days of using hardcoded Pastebin sites for configuration retrieval to employing advanced encryption and deceptive tactics, Zanubis represents a persistent and evolving menace in the cybersecurity landscape.

Its ability to steal banking credentials through overlay attacks, perform keylogging, and execute remote commands without user awareness underscores its dangerous potential, particularly for users in Peru.

According to Secure List Report, Zanubis has demonstrated remarkable technical advancements since its inception.

Initially detected in August 2022 posing as a PDF reader, it targeted 40 financial apps in Peru using overlay attacks facilitated by abused accessibility services.

By 2023, it masqueraded as the official SUNAT app, integrating obfuscation techniques via tools like Obfuscapk to hinder reverse engineering.

This version introduced junk code, RC4 encryption for C2 communications, and social engineering ploys such as fake instructional webpages to secure permissions.

Technical Advancements

Its capabilities expanded to include SMS hijacking for intercepting two-factor authentication codes, screen recording for capturing user interactions, and deceptive fake system updates to lock devices while executing malicious tasks in the background.

In 2024, Zanubis reinforced its stealth with AES encryption in ECB mode for C2 communications and on-the-fly string decryption using PBKDF2-derived keys, alongside credential theft from device lock screens.

By 2025, the malware adopted silent installation techniques via the PackageInstaller class and sharpened its focus exclusively on high-value banking targets, impersonating entities in Peru’s energy and financial sectors with tailored lures like fake invoices and advisor instructions.

These updates reflect a deliberate strategy to maximize data theft efficiency while evading detection, with indicators suggesting the threat actors operate locally due to their use of Latin American Spanish and deep knowledge of regional institutions.

As Zanubis continues to refine its distribution methods and malicious functionalities, it poses an ongoing risk, necessitating heightened vigilance among users and organizations to mitigate its impact through robust security practices and awareness of social engineering tactics.

Indicators of Compromise (IoC)