Evolution of Zanubis, a banking Trojan for Android
Zanubis is an evolving Android banking Trojan that emerged in 2022, targeting financial institutions in Peru before expanding to virtual cards and crypto wallets. It impersonates legitimate apps to trick users into granting accessibility permissions, enabling extensive data theft and device control. The malware has undergone significant development, incorporating features like SMS hijacking, screen recording, and device credential stealing. Recent versions show improved obfuscation, encryption, and silent installation techniques. The threat actors, likely based in Peru, continue to refine the malware's capabilities and targeting strategy, focusing on high-value financial targets in the region.
AI Analysis
Technical Summary
Zanubis is a sophisticated Android banking Trojan first identified in 2022, initially targeting financial institutions in Peru. Over time, it has evolved to expand its attack surface to include virtual cards and cryptocurrency wallets, reflecting a strategic shift to high-value digital assets. The malware operates by impersonating legitimate applications to deceive users into granting accessibility permissions. These permissions are critical as they allow Zanubis to perform extensive data theft and device control operations. Key technical capabilities of Zanubis include SMS hijacking, which enables interception and manipulation of text messages often used in two-factor authentication; screen recording to capture sensitive user interactions; and stealing device credentials to facilitate unauthorized access to financial accounts. Recent iterations of Zanubis demonstrate enhanced obfuscation and encryption techniques, making detection and analysis more challenging for security tools. Additionally, the Trojan employs silent installation methods to avoid user suspicion and maintain persistence on infected devices. The threat actors behind Zanubis are believed to be based in Peru and continue to refine the malware’s capabilities and targeting strategies, focusing on high-value financial targets within their region. Although Zanubis has not been reported to exploit known vulnerabilities or have publicly available exploits, its evolving feature set and stealth techniques make it a persistent threat to Android users involved in financial transactions, particularly in Latin America.
Potential Impact
For European organizations, the direct impact of Zanubis may currently be limited due to its primary targeting of Peruvian financial institutions and users. However, the Trojan’s capabilities pose a significant risk if it expands geographically or if European users engage with compromised applications or financial services linked to affected regions. The theft of credentials and interception of SMS messages can lead to unauthorized access to corporate and personal financial accounts, potentially resulting in financial loss, fraud, and reputational damage. Organizations with employees or customers using Android devices for banking or cryptocurrency management are at risk of data breaches and account takeovers. Additionally, the Trojan’s ability to silently install and evade detection could facilitate persistent access to sensitive information and lateral movement within corporate networks if infected devices connect to enterprise resources. The evolving nature of Zanubis underscores the need for vigilance in monitoring Android application ecosystems and user behavior, especially in sectors handling financial transactions or digital assets.
Mitigation Recommendations
European organizations should implement targeted measures beyond standard mobile security practices. First, enforce strict mobile device management (MDM) policies that restrict installation of applications from untrusted sources and require verification of app legitimacy before installation. Employ advanced endpoint detection and response (EDR) solutions capable of monitoring Android devices for suspicious behaviors such as unauthorized accessibility permission grants, SMS interception attempts, and screen recording activities. Educate employees and users about the risks of granting accessibility permissions to unknown apps and encourage the use of official app stores only. Implement multi-factor authentication methods that do not rely solely on SMS-based verification to mitigate the risk of SMS hijacking. Regularly audit and update mobile security policies to include detection of obfuscated or encrypted malware components. Network-level protections such as anomaly detection for unusual outbound traffic from mobile devices can help identify compromised devices. Finally, collaborate with financial institutions to monitor for fraudulent transactions and share threat intelligence related to Zanubis and similar Android banking Trojans.
Affected Countries
Spain, Italy, Germany, France, United Kingdom, Netherlands
Indicators of Compromise
- hash: 03c1e2d713c480ec7dc39f9c4fad39ec
- hash: 0a922d6347087f3317900628f191d069
- hash: 0ac15547240ca763a884e15ad3759cf1
- hash: 1b9c49e531f2ad7b54d40395252cbc20
- hash: 216edf4fc0e7a40279e79ff4a5faf4f6
- hash: 323d97c876f173628442ff4d1aaa8c98
- hash: 45d07497ac7fe550b8b394978652caa9
- hash: 5c11e88d1b68a84675af001fd4360068
- hash: 628b27234e68d44e01ea7a93a39f2ad3
- hash: 660d4eeb022ee1de93b157e2aa8fe1dc
- hash: 687fdfa9417cfac88b314deb421cd436
- hash: 6b0d14fb1ddd04ac26fb201651eb5070
- hash: 79e96f11974f0cd6f5de0e7c7392b679
- hash: 7ae448b067d652f800b0e36b1edea69f
- hash: 81f91f201d861e4da765bae8e708c0d0
- hash: 84bc219286283ca41b7d229f83fd6fdc
- hash: 8820ab362b7bae6610363d6657c9f788
- hash: 8949f492001bb0ca9212f85953a6dcda
- hash: 90221365f08640ddcab86a9cd38173ce
- hash: 90279863b305ef951ab344af5246b766
- hash: 93553897e9e898c0c1e30838325ecfbd
- hash: 940f3a03661682097a4e7a7990490f61
- hash: 97003f4dcf81273ae882b6cd1f2839ef
- hash: a28d13c6661ca852893b5f2e6a068b55
- hash: b33f1a3c8e245f4ffc269e22919d5f76
- hash: b3f0223e99b7b66a71c2e9b3a0574b12
- hash: bcbfec6f1da388ca05ec3be2349f47c7
- hash: e9b0bae8a8724a78d57bec24796320c0
- hash: fa2b090426691e08b18917d3bbaf87ce
- hash: fd43666006938b7c77b990b2b4531b9a
- hash: 07c1df0c619404433ef520fa93cb05cb8ef0777e
- hash: 0c60cb00fb1839b6cf83d1be841f7726cb242ff7
- hash: 1c925256ab4f88e2e12bc59124e1583d9518ee00
- hash: 41ab4ae6d6548190da8b6b9583ea11d5f571bf7a
- hash: 6c55b1fd01088f1d71ecb7a05cbfa78a195e3482
- hash: ad23844e0894f0f19a19b319a748b05fa9adaf98
- hash: be46e50a4e10271cd654e1acff1f8638c47f3ab4
- hash: d70aa120fed8801e0e635a3173f59960403c0303
- hash: 4d2ef8f7dcc4b39436062e5666cbf5e3d41f990a272b16660418ee60bde6cdd1
- hash: 52537ae43cc20c6c408dffddb83cc785cd942f43282047c4e48448f6576a75bd
- hash: 712b2d385b578fe9fa2bc404ef27b9204a0c67e4ded6129975e6f0464983ff10
- hash: 7b9f3d2d8a39d3cdc268c8fa5a5a51986a183266e5194ffcb53257d4219d287b
- hash: 8e83e6544c5b8d92360e6f8f8777be655d4ecf16e38b58c8d5bf2e76b224f6fb
- hash: a1af1cc7d4e90083f7d90bc6eaa884146bcd21b2c76641e03c326f0cc1dc1e68
- hash: a9916294cdc4de511fa09f441093456bb488928519a79ac950ad116adef981ee
- hash: c9c454913ce6062a4387a92283b80e62391751b31a9b22ac9aa27dcc3edd3b4f
Evolution of Zanubis, a banking Trojan for Android
Description
Zanubis is an evolving Android banking Trojan that emerged in 2022, targeting financial institutions in Peru before expanding to virtual cards and crypto wallets. It impersonates legitimate apps to trick users into granting accessibility permissions, enabling extensive data theft and device control. The malware has undergone significant development, incorporating features like SMS hijacking, screen recording, and device credential stealing. Recent versions show improved obfuscation, encryption, and silent installation techniques. The threat actors, likely based in Peru, continue to refine the malware's capabilities and targeting strategy, focusing on high-value financial targets in the region.
AI-Powered Analysis
Technical Analysis
Zanubis is a sophisticated Android banking Trojan first identified in 2022, initially targeting financial institutions in Peru. Over time, it has evolved to expand its attack surface to include virtual cards and cryptocurrency wallets, reflecting a strategic shift to high-value digital assets. The malware operates by impersonating legitimate applications to deceive users into granting accessibility permissions. These permissions are critical as they allow Zanubis to perform extensive data theft and device control operations. Key technical capabilities of Zanubis include SMS hijacking, which enables interception and manipulation of text messages often used in two-factor authentication; screen recording to capture sensitive user interactions; and stealing device credentials to facilitate unauthorized access to financial accounts. Recent iterations of Zanubis demonstrate enhanced obfuscation and encryption techniques, making detection and analysis more challenging for security tools. Additionally, the Trojan employs silent installation methods to avoid user suspicion and maintain persistence on infected devices. The threat actors behind Zanubis are believed to be based in Peru and continue to refine the malware’s capabilities and targeting strategies, focusing on high-value financial targets within their region. Although Zanubis has not been reported to exploit known vulnerabilities or have publicly available exploits, its evolving feature set and stealth techniques make it a persistent threat to Android users involved in financial transactions, particularly in Latin America.
Potential Impact
For European organizations, the direct impact of Zanubis may currently be limited due to its primary targeting of Peruvian financial institutions and users. However, the Trojan’s capabilities pose a significant risk if it expands geographically or if European users engage with compromised applications or financial services linked to affected regions. The theft of credentials and interception of SMS messages can lead to unauthorized access to corporate and personal financial accounts, potentially resulting in financial loss, fraud, and reputational damage. Organizations with employees or customers using Android devices for banking or cryptocurrency management are at risk of data breaches and account takeovers. Additionally, the Trojan’s ability to silently install and evade detection could facilitate persistent access to sensitive information and lateral movement within corporate networks if infected devices connect to enterprise resources. The evolving nature of Zanubis underscores the need for vigilance in monitoring Android application ecosystems and user behavior, especially in sectors handling financial transactions or digital assets.
Mitigation Recommendations
European organizations should implement targeted measures beyond standard mobile security practices. First, enforce strict mobile device management (MDM) policies that restrict installation of applications from untrusted sources and require verification of app legitimacy before installation. Employ advanced endpoint detection and response (EDR) solutions capable of monitoring Android devices for suspicious behaviors such as unauthorized accessibility permission grants, SMS interception attempts, and screen recording activities. Educate employees and users about the risks of granting accessibility permissions to unknown apps and encourage the use of official app stores only. Implement multi-factor authentication methods that do not rely solely on SMS-based verification to mitigate the risk of SMS hijacking. Regularly audit and update mobile security policies to include detection of obfuscated or encrypted malware components. Network-level protections such as anomaly detection for unusual outbound traffic from mobile devices can help identify compromised devices. Finally, collaborate with financial institutions to monitor for fraudulent transactions and share threat intelligence related to Zanubis and similar Android banking Trojans.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588"]
- Adversary
- Zanubis
- Pulse Id
- 68374e978eb7b411096dc0b4
- Threat Score
- null
Indicators of Compromise
Hash
Value | Description | Copy |
---|---|---|
hash03c1e2d713c480ec7dc39f9c4fad39ec | — | |
hash0a922d6347087f3317900628f191d069 | — | |
hash0ac15547240ca763a884e15ad3759cf1 | — | |
hash1b9c49e531f2ad7b54d40395252cbc20 | — | |
hash216edf4fc0e7a40279e79ff4a5faf4f6 | — | |
hash323d97c876f173628442ff4d1aaa8c98 | — | |
hash45d07497ac7fe550b8b394978652caa9 | — | |
hash5c11e88d1b68a84675af001fd4360068 | — | |
hash628b27234e68d44e01ea7a93a39f2ad3 | — | |
hash660d4eeb022ee1de93b157e2aa8fe1dc | — | |
hash687fdfa9417cfac88b314deb421cd436 | — | |
hash6b0d14fb1ddd04ac26fb201651eb5070 | — | |
hash79e96f11974f0cd6f5de0e7c7392b679 | — | |
hash7ae448b067d652f800b0e36b1edea69f | — | |
hash81f91f201d861e4da765bae8e708c0d0 | — | |
hash84bc219286283ca41b7d229f83fd6fdc | — | |
hash8820ab362b7bae6610363d6657c9f788 | — | |
hash8949f492001bb0ca9212f85953a6dcda | — | |
hash90221365f08640ddcab86a9cd38173ce | — | |
hash90279863b305ef951ab344af5246b766 | — | |
hash93553897e9e898c0c1e30838325ecfbd | — | |
hash940f3a03661682097a4e7a7990490f61 | — | |
hash97003f4dcf81273ae882b6cd1f2839ef | — | |
hasha28d13c6661ca852893b5f2e6a068b55 | — | |
hashb33f1a3c8e245f4ffc269e22919d5f76 | — | |
hashb3f0223e99b7b66a71c2e9b3a0574b12 | — | |
hashbcbfec6f1da388ca05ec3be2349f47c7 | — | |
hashe9b0bae8a8724a78d57bec24796320c0 | — | |
hashfa2b090426691e08b18917d3bbaf87ce | — | |
hashfd43666006938b7c77b990b2b4531b9a | — | |
hash07c1df0c619404433ef520fa93cb05cb8ef0777e | — | |
hash0c60cb00fb1839b6cf83d1be841f7726cb242ff7 | — | |
hash1c925256ab4f88e2e12bc59124e1583d9518ee00 | — | |
hash41ab4ae6d6548190da8b6b9583ea11d5f571bf7a | — | |
hash6c55b1fd01088f1d71ecb7a05cbfa78a195e3482 | — | |
hashad23844e0894f0f19a19b319a748b05fa9adaf98 | — | |
hashbe46e50a4e10271cd654e1acff1f8638c47f3ab4 | — | |
hashd70aa120fed8801e0e635a3173f59960403c0303 | — | |
hash4d2ef8f7dcc4b39436062e5666cbf5e3d41f990a272b16660418ee60bde6cdd1 | — | |
hash52537ae43cc20c6c408dffddb83cc785cd942f43282047c4e48448f6576a75bd | — | |
hash712b2d385b578fe9fa2bc404ef27b9204a0c67e4ded6129975e6f0464983ff10 | — | |
hash7b9f3d2d8a39d3cdc268c8fa5a5a51986a183266e5194ffcb53257d4219d287b | — | |
hash8e83e6544c5b8d92360e6f8f8777be655d4ecf16e38b58c8d5bf2e76b224f6fb | — | |
hasha1af1cc7d4e90083f7d90bc6eaa884146bcd21b2c76641e03c326f0cc1dc1e68 | — | |
hasha9916294cdc4de511fa09f441093456bb488928519a79ac950ad116adef981ee | — | |
hashc9c454913ce6062a4387a92283b80e62391751b31a9b22ac9aa27dcc3edd3b4f | — |
Threat ID: 683771fd182aa0cae25be6be
Added to database: 5/28/2025, 8:28:45 PM
Last enriched: 6/27/2025, 9:26:10 PM
Last updated: 7/31/2025, 9:20:23 AM
Views: 14
Related Threats
ThreatFox IOCs for 2025-08-16
MediumScammers Compromised by Own Malware, Expose $4.67M Operation and Identities
MediumThreatFox IOCs for 2025-08-15
MediumThreat Actor Profile: Interlock Ransomware
Medium'Blue Locker' Analysis: Ransomware Targeting Oil & Gas Sector in Pakistan
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.