One Virus, Forty Apps, Thousands of Accounts: How an Android Banking Trojan Became a Mass Blackmail Tool
The Zanubis malware, designed specifically for Android devices, has evolved into one of the most sophisticated cyberthreats in Latin America. Initially targeting only banks, it has expanded to virtual cards and crypto wallets, adapting its attack methods to the region’s digital infrastructure.
How Zanubis Works
According to Kaspersky Lab, the malware spreads disguised as legitimate Peruvian apps, tricking users into granting accessibility permissions. Once enabled, Zanubis can:- Steal data (logins, card details, crypto keys)
- Log keystrokes
- Remotely control the device
- Silently execute attacker commands
Evolution of the Threat
- August 2022: First detected as a fake PDF viewer, attacking 40+ financial apps in Peru via overlay screens (fake login pages).
- 2023: Disguised as Peru’s tax service app (SUNAT), using:
- Obfuscapk (code obfuscation)
- RC4 encryption for C2 communication
- Fake tutorial pages to justify suspicious permissions.
- 2024: Upgraded stealth with:
- AES-ECB encryption
- Real-time string decryption (PBKDF2 keys)
- Lock screen data interception
- Fake system updates (locking devices during attacks).
- 2025: Now uses PackageInstaller to silently install apps without user consent, targeting:
- Banks
- Energy companies
- Other critical economic entities.
Social Engineering Tactics
Attackers use fake invoices and "financial advisor" instructions in flawless Latin American Spanish, suggesting local origins.Why Zanubis Is Dangerous
✔ Highly adaptive – Constantly updates evasion techniques.✔ Wide reach – Hits banks, crypto, and utilities.
✔ Hard to detect – Uses legitimate Android functions maliciously.
How to Stay Safe
- Avoid sideloading APKs – Only use official app stores.
- Never grant unnecessary permissions (e.g., Accessibility).
- Update devices regularly – Patches may block exploits.
