Skip to main content

Evolution of Zanubis, a banking Trojan for Android

Medium
Published: Wed May 28 2025 (05/28/2025, 17:57:43 UTC)
Source: AlienVault OTX General

Description

Zanubis is an evolving Android banking Trojan that emerged in 2022, targeting financial institutions in Peru before expanding to virtual cards and crypto wallets. It impersonates legitimate apps to trick users into granting accessibility permissions, enabling extensive data theft and device control. The malware has undergone significant development, incorporating features like SMS hijacking, screen recording, and device credential stealing. Recent versions show improved obfuscation, encryption, and silent installation techniques. The threat actors, likely based in Peru, continue to refine the malware's capabilities and targeting strategy, focusing on high-value financial targets in the region.

AI-Powered Analysis

AILast updated: 06/27/2025, 21:26:10 UTC

Technical Analysis

Zanubis is a sophisticated Android banking Trojan first identified in 2022, initially targeting financial institutions in Peru. Over time, it has evolved to expand its attack surface to include virtual cards and cryptocurrency wallets, reflecting a strategic shift to high-value digital assets. The malware operates by impersonating legitimate applications to deceive users into granting accessibility permissions. These permissions are critical as they allow Zanubis to perform extensive data theft and device control operations. Key technical capabilities of Zanubis include SMS hijacking, which enables interception and manipulation of text messages often used in two-factor authentication; screen recording to capture sensitive user interactions; and stealing device credentials to facilitate unauthorized access to financial accounts. Recent iterations of Zanubis demonstrate enhanced obfuscation and encryption techniques, making detection and analysis more challenging for security tools. Additionally, the Trojan employs silent installation methods to avoid user suspicion and maintain persistence on infected devices. The threat actors behind Zanubis are believed to be based in Peru and continue to refine the malware’s capabilities and targeting strategies, focusing on high-value financial targets within their region. Although Zanubis has not been reported to exploit known vulnerabilities or have publicly available exploits, its evolving feature set and stealth techniques make it a persistent threat to Android users involved in financial transactions, particularly in Latin America.

Potential Impact

For European organizations, the direct impact of Zanubis may currently be limited due to its primary targeting of Peruvian financial institutions and users. However, the Trojan’s capabilities pose a significant risk if it expands geographically or if European users engage with compromised applications or financial services linked to affected regions. The theft of credentials and interception of SMS messages can lead to unauthorized access to corporate and personal financial accounts, potentially resulting in financial loss, fraud, and reputational damage. Organizations with employees or customers using Android devices for banking or cryptocurrency management are at risk of data breaches and account takeovers. Additionally, the Trojan’s ability to silently install and evade detection could facilitate persistent access to sensitive information and lateral movement within corporate networks if infected devices connect to enterprise resources. The evolving nature of Zanubis underscores the need for vigilance in monitoring Android application ecosystems and user behavior, especially in sectors handling financial transactions or digital assets.

Mitigation Recommendations

European organizations should implement targeted measures beyond standard mobile security practices. First, enforce strict mobile device management (MDM) policies that restrict installation of applications from untrusted sources and require verification of app legitimacy before installation. Employ advanced endpoint detection and response (EDR) solutions capable of monitoring Android devices for suspicious behaviors such as unauthorized accessibility permission grants, SMS interception attempts, and screen recording activities. Educate employees and users about the risks of granting accessibility permissions to unknown apps and encourage the use of official app stores only. Implement multi-factor authentication methods that do not rely solely on SMS-based verification to mitigate the risk of SMS hijacking. Regularly audit and update mobile security policies to include detection of obfuscated or encrypted malware components. Network-level protections such as anomaly detection for unusual outbound traffic from mobile devices can help identify compromised devices. Finally, collaborate with financial institutions to monitor for fraudulent transactions and share threat intelligence related to Zanubis and similar Android banking Trojans.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588"]
Adversary
Zanubis
Pulse Id
68374e978eb7b411096dc0b4
Threat Score
null

Indicators of Compromise

Hash

ValueDescriptionCopy
hash03c1e2d713c480ec7dc39f9c4fad39ec
hash0a922d6347087f3317900628f191d069
hash0ac15547240ca763a884e15ad3759cf1
hash1b9c49e531f2ad7b54d40395252cbc20
hash216edf4fc0e7a40279e79ff4a5faf4f6
hash323d97c876f173628442ff4d1aaa8c98
hash45d07497ac7fe550b8b394978652caa9
hash5c11e88d1b68a84675af001fd4360068
hash628b27234e68d44e01ea7a93a39f2ad3
hash660d4eeb022ee1de93b157e2aa8fe1dc
hash687fdfa9417cfac88b314deb421cd436
hash6b0d14fb1ddd04ac26fb201651eb5070
hash79e96f11974f0cd6f5de0e7c7392b679
hash7ae448b067d652f800b0e36b1edea69f
hash81f91f201d861e4da765bae8e708c0d0
hash84bc219286283ca41b7d229f83fd6fdc
hash8820ab362b7bae6610363d6657c9f788
hash8949f492001bb0ca9212f85953a6dcda
hash90221365f08640ddcab86a9cd38173ce
hash90279863b305ef951ab344af5246b766
hash93553897e9e898c0c1e30838325ecfbd
hash940f3a03661682097a4e7a7990490f61
hash97003f4dcf81273ae882b6cd1f2839ef
hasha28d13c6661ca852893b5f2e6a068b55
hashb33f1a3c8e245f4ffc269e22919d5f76
hashb3f0223e99b7b66a71c2e9b3a0574b12
hashbcbfec6f1da388ca05ec3be2349f47c7
hashe9b0bae8a8724a78d57bec24796320c0
hashfa2b090426691e08b18917d3bbaf87ce
hashfd43666006938b7c77b990b2b4531b9a
hash07c1df0c619404433ef520fa93cb05cb8ef0777e
hash0c60cb00fb1839b6cf83d1be841f7726cb242ff7
hash1c925256ab4f88e2e12bc59124e1583d9518ee00
hash41ab4ae6d6548190da8b6b9583ea11d5f571bf7a
hash6c55b1fd01088f1d71ecb7a05cbfa78a195e3482
hashad23844e0894f0f19a19b319a748b05fa9adaf98
hashbe46e50a4e10271cd654e1acff1f8638c47f3ab4
hashd70aa120fed8801e0e635a3173f59960403c0303
hash4d2ef8f7dcc4b39436062e5666cbf5e3d41f990a272b16660418ee60bde6cdd1
hash52537ae43cc20c6c408dffddb83cc785cd942f43282047c4e48448f6576a75bd
hash712b2d385b578fe9fa2bc404ef27b9204a0c67e4ded6129975e6f0464983ff10
hash7b9f3d2d8a39d3cdc268c8fa5a5a51986a183266e5194ffcb53257d4219d287b
hash8e83e6544c5b8d92360e6f8f8777be655d4ecf16e38b58c8d5bf2e76b224f6fb
hasha1af1cc7d4e90083f7d90bc6eaa884146bcd21b2c76641e03c326f0cc1dc1e68
hasha9916294cdc4de511fa09f441093456bb488928519a79ac950ad116adef981ee
hashc9c454913ce6062a4387a92283b80e62391751b31a9b22ac9aa27dcc3edd3b4f

Threat ID: 683771fd182aa0cae25be6be

Added to database: 5/28/2025, 8:28:45 PM

Last enriched: 6/27/2025, 9:26:10 PM

Last updated: 7/31/2025, 9:20:23 AM

Views: 14

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats