An Android banking trojan known as Zanubis has recently emerged, disguising itself as a Peruvian government app to deceive unsuspecting users into installing the malicious software.
According to an analysis published by Kaspersky last week, Zanubis primarily infects devices by impersonating legitimate Android applications from Peru. It tricks users into granting Accessibility permissions, which allows the trojan to take complete control of the device.
Zanubis, first documented in August 2022, is the newest addition to a long list of Android banking malware targeting the Latin American (LATAM) region. Its primary targets are over 40 banks and financial institutions in Peru.
The trojan is notorious for exploiting the accessibility permissions it gains on infected devices. It displays fake overlay screens on top of targeted apps, attempting to steal user credentials. Zanubis is also capable of harvesting contact data, the list of installed apps, and system metadata.
In April 2023, Kaspersky detected recent samples of Zanubis in the wild, masquerading as the Peruvian customs and tax agency, known as Superintendencia Nacional de Aduanas y de Administración Tributaria (SUNAT).
Once the app is installed and granted accessibility permissions, it runs in the background and loads the genuine SUNAT website using Android’s WebView to create an appearance of legitimacy. The trojan maintains connections to a server controlled by the threat actor to receive further commands over WebSockets.
The granted permissions are also utilized to monitor which apps are opened on the device and compare them to a list of targeted apps. If an application from the list is launched, Zanubis proceeds to log keystrokes or record the screen to extract sensitive information.
What distinguishes Zanubis and makes it particularly dangerous is its ability to mimic an Android operating system update. This renders the device unusable as the “update” progresses. The malware actively blocks attempts to lock or unlock the phone, monitoring and thwarting these actions.
In addition to Zanubis, AT&T Alien Labs has recently disclosed another Android-based remote access trojan (RAT) known as MMRat. This RAT is capable of capturing user input, screen content, and executing command-and-control operations.
“RATs are a popular choice for hackers due to their extensive capabilities, ranging from reconnaissance and data exfiltration to long-term persistence,” explained the company.
CyberSec84 | Cybersecurity news. 
Leave a comment