An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing malware.
“Zanubis’s main infection route is to impersonate legitimate Peruvian Android applications and then trick the user into enabling accessibility permissions to take full control over the device,” Kaspersky said in an analysis published last week.
Zanubis, which was originally documented in August 2022, is the latest addition to the long list of Android banker malware targeting the Latin American (LATAM) region. The targets include more than 40 Peruvian banks and financial institutions.
It is primarily known for abusing accessibility permissions on infected devices to display fake overlay screens on targeted apps in an attempt to steal credentials. It is also capable of collecting contact data, list of installed apps, and system metadata.
Kaspersky said it discovered the most recent samples of Zanubis in the wild in April 2023, working under the cover of Peru’s customs and tax agency Superintendencia Nacional de Aduañas y de Administración Tributaria (SUNAT).
Installing the app and granting it accessibility permissions allows it to run in the background and load the actual SUNAT website using Android’s webview to create a facade of legitimacy. It maintains a connection to the actor-controlled server to receive commands for the next step over WebSockets.
The permissions are leveraged to monitor apps being opened on the device and compare them to a list of targeted apps. Should an application on the list be launched, Zanubis proceeds to log keystrokes or record the screen to extract sensitive data.
What sets Zanubis apart and makes it more powerful is its ability to pretend to have an Android operating system update, effectively rendering the device unusable.
“As soon as the ‘update’ runs, the phone becomes unusable to the point that it cannot be locked or unlocked, because the malware monitors and blocks those attempts,” Kaspersky said.
This development comes after AT&T Alien Labs described another Android-based remote access trojan (RAT) called MMRAT that is capable of capturing user input and screen content, as well as command-and-control.
“RATs are a popular choice for hackers due to their many capabilities ranging from reconnaissance and data infiltration to long-term persistence,” the company said.
