Zanubis is a sophisticated Android banking Trojan first identified in 2022, initially targeting financial institutions in Peru. Over time, it has evolved to expand its attack surface to include virtual cards and cryptocurrency wallets, reflecting a strategic shift to high-value digital assets. The malware operates by impersonating legitimate applications to deceive users into granting accessibility permissions. These permissions are critical as they allow Zanubis to perform extensive data theft and device control operations. Key technical capabilities of Zanubis include SMS hijacking, which enables interception and manipulation of text messages often used in two-factor authentication; screen recording to capture sensitive user interactions; and stealing device credentials to facilitate unauthorized access to financial accounts. Recent iterations of Zanubis demonstrate enhanced obfuscation and encryption techniques, making detection and analysis more challenging for security tools. Additionally, the Trojan employs silent installation methods to avoid user suspicion and maintain persistence on infected devices. The threat actors behind Zanubis are believed to be based in Peru and continue to refine the malware’s capabilities and targeting strategies, focusing on high-value financial targets within their region. Although Zanubis has not been reported to exploit known vulnerabilities or have publicly available exploits, its evolving feature set and stealth techniques make it a persistent threat to Android users involved in financial transactions, particularly in Latin America.

For European organizations, the direct impact of Zanubis may currently be limited due to its primary targeting of Peruvian financial institutions and users. However, the Trojan’s capabilities pose a significant risk if it expands geographically or if European users engage with compromised applications or financial services linked to affected regions. The theft of credentials and interception of SMS messages can lead to unauthorized access to corporate and personal financial accounts, potentially resulting in financial loss, fraud, and reputational damage. Organizations with employees or customers using Android devices for banking or cryptocurrency management are at risk of data breaches and account takeovers. Additionally, the Trojan’s ability to silently install and evade detection could facilitate persistent access to sensitive information and lateral movement within corporate networks if infected devices connect to enterprise resources. The evolving nature of Zanubis underscores the need for vigilance in monitoring Android application ecosystems and user behavior, especially in sectors handling financial transactions or digital assets.

European organizations should implement targeted measures beyond standard mobile security practices. First, enforce strict mobile device management (MDM) policies that restrict installation of applications from untrusted sources and require verification of app legitimacy before installation. Employ advanced endpoint detection and response (EDR) solutions capable of monitoring Android devices for suspicious behaviors such as unauthorized accessibility permission grants, SMS interception attempts, and screen recording activities. Educate employees and users about the risks of granting accessibility permissions to unknown apps and encourage the use of official app stores only. Implement multi-factor authentication methods that do not rely solely on SMS-based verification to mitigate the risk of SMS hijacking. Regularly audit and update mobile security policies to include detection of obfuscated or encrypted malware components. Network-level protections such as anomaly detection for unusual outbound traffic from mobile devices can help identify compromised devices. Finally, collaborate with financial institutions to monitor for fraudulent transactions and share threat intelligence related to Zanubis and similar Android banking Trojans.