{
	"id": "a70cc638-8c07-44e3-b5e0-8f396eb0afdf",
	"created_at": "2026-04-06T00:17:07.749237Z",
	"updated_at": "2026-04-10T03:21:46.830307Z",
	"deleted_at": null,
	"sha1_hash": "1aa5c22f2810d88dd5acabd1965cddec13f0cfb2",
	"title": "An upsurge of new Android Banking Trojan “Zanubis”",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2133467,
	"plain_text": "An upsurge of new Android Banking Trojan “Zanubis”\r\nPublished: 2022-12-07 · Archived: 2026-04-05 23:03:47 UTC\r\nWe came across the tweet of an Android malware sample, a banking trojan that mainly targets Peru banks by\r\nexploiting accessibility service and uses an overlay screen to steal user’s banking credentials.\r\nInstalling the package “p4d236d9a.p34240997.p9a09b4df” under analysis, the banking trojan appears in the name\r\nof ”Sunat” in the app drawer list as shown in Fig.1 and  the malicious application prompts the user to grant the\r\naccessibility service and battery optimization permissions as in Fig.2. After execution, the app removes itself from\r\nthe app drawer to hide its presence from the user.\r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 1 of 10\n\nFig.1: App drawer   \r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 2 of 10\n\nFig.2: Permissions requested by the malware\r\n \r\nTechnical Analysis: \r\nZanubis gathers following data from the victim’s device: contact list, installed app list, device info such as\r\nmanufacturer, model, release as shown in Fig.3. \r\n       Fig.3: Collecting device data\r\nOnce the app is launched in the victim’s device, it loads the hardcoded initial C2 URL to post victim’s device data\r\nto a remote server (http[:]//5.252.178[.]86:8000) and receives encrypted data from the server as shown in Fig.4.\r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 3 of 10\n\nFig.4: Encrypted data from C2\r\nThe malware author uses “$%FLO032DFKSF234dsdf4RLOCMV@#” as a key as shown in Fig.5 to decrypt\r\nresponses received from the C2 server as shown in Fig.6.\r\nFig.5: Decryption Key\r\n      Fig.6:  Decrypted id using cyberchef\r\nAfter decryption, the malware connects to the same C2 appending the above mentioned decrypted id with the\r\ninitial url (https[:]//mibegnon.com/wp-content/css/index.php?q=001\u0026id=b385548c64582f12) as shown in the\r\nbelow images Fig.7 and Fig.8.\r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 4 of 10\n\nFig.7: C2 Panel\r\nFig.8: C2 Panel\r\nOnce the accessibility service permission is granted, the malware connects to the C\u0026C server and receives the list\r\nof targeted applications as the C2 response . The malware decrypts the response using the same hardcoded key and\r\nsaves the decrypted data into the shared preference file\r\n“_arg_cc638784cf21398gga6ec75983a4aa08caddada.xml,” as shown in Fig.9.\r\n                                      Fig.9: Decryption key, initial url and shared preference filename\r\nThe targeted applications in shared preferences focuses on Peru banks as shown in Fig.10. \r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 5 of 10\n\nFig.10: Shared preference file that contains list of targeted applications\r\nWhenever the user tries to interact with the targeted application in the device that is listed in the shared preference,\r\nthe malware displays an overlay screen over the targeted application to acquire the log-in credentials of the\r\ntargeted banking app. Also, the malware displays a Peruvian National Government Website of National\r\nSuperintendence of Customs and Tax Administration to steal the victim’s credentials as shown in Fig.11. \r\n                Fig.11: Government site displayed\r\nBanking trojans are still emerging at regular intervals for mobile devices and at K7, we protect users from such\r\nthreats. Do ensure that you protect your mobile devices with a reputable security product like K7 Mobile Security\r\nand also regularly update and scan your devices with it. Also keep your devices updated and patched against the\r\nlatest security vulnerabilities.\r\nC2 mentioned in the shared preference: 5.252.178.70\r\nThe list of applications targeted by the malware are:\r\npe.com.banBifBanking.icBanking.androidUI\r\ncom.bbva.nxt_peru\r\npe.com.interbank.mobilebanking\r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 6 of 10\n\ncom.mibanco.bancamovil\r\npe.com.scotiabank.blpm.android.client\r\ncom.bcp.bank.bcp\r\npe.com.bn.app.bancodelanacion\r\nper.bf.desa\r\ncom.bcp.innovacxion.yapeapp\r\ncom.pe.cajasullana.cajamovil\r\npe.pichincha.bm\r\ncom.ripley.banco.peru\r\ncom.cmac.cajamovilaqp\r\ncom.cajahuancayo.cajahuancayo.appcajahuancayo\r\ncom.cmacica.prd\r\npe.cajapiura.bancamovil\r\npe.solera.tarjetaoh\r\ncom.alfinbanco.appclientes\r\npe.com.bancomercio.mobilebanking\r\ncom.bm_gnb_pe\r\ncom.zoluxiones.officebanking\r\npe.com.cajametropolitana.homebankingcml.cmlhomebanking\r\ncom.pe.cajacusco.movil\r\ncom.caja.myapplication\r\ncom.cajamaynas.cajamaynas\r\ncom.cajatacna.droid\r\ncom.appcajatrujillo\r\npe.com.tarjetacencosud.canales.mitarjetacencosud\r\npe.com.cajacentro\r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 7 of 10\n\npe.com.prymera.digital.app\r\npe.com.compartamos.bancamovil\r\npe.confianza.bancamovil\r\nid=com.credinkamovil.pe\r\npe.com.scotiabank.blpm.android.client.csf\r\ncom.efectivadigital.appclientes\r\ncom.qapaq.banking\r\npe.com.tarjetasperuanasprepago.tppapp\r\nmaximo.peru.pe\r\nair.PrexPeru\r\npe.com.tarjetaw.neobank\r\ncom.fif.fpay.android.pe\r\ncom.cencosud.pe.metro\r\ncom.cencosud.pe.wong\r\ncom.tottus\r\ncom.pichincha.cashmanagement\r\ncom.binance.dev\r\ncom.gateio.gateio\r\ncom.google.android.apps.authenticator2\r\ncom.bbva.GEMA.global\r\npe.com.scotiabank.businessbanking\r\ncom.bcp.bank.tlc\r\ncom.scotiabank.telebankingapp\r\ncom.bitkeep.wallet\r\ncom.bitmart.bitmarket\r\ncom.bitcoin.mwallet\r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 8 of 10\n\ncom.bbva.bbvawalletpe\r\ncom.bbva.lukita\r\ncash.klever.blockchain.wallet\r\norg.theta.wallet\r\ncom.wallet.crypto.trustapp\r\ncom.myetherwallet.mewwallet\r\npe.interbank.bie\r\nC2 Links:\r\nhttp://001.kidz4lifeplus.org/005/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/006/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/001/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/004/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/002/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/010/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/003/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/008/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/007/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/009/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/011/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/015/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/017/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/012/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/014/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/013/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nhttp://001.kidz4lifeplus.org/016/389d3bf103aeec5039e30f1410d18fcd/inicio?tg81w=cv34\r\nIOC\r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 9 of 10\n\nPackage  Name Hash\r\nK7 Detection\r\nname\r\np4d236d9a.p34240997.p9a09b4df 17fa297998833bad8fb12ee779288807\r\nTrojan (\r\n0001140e1 )\r\nMITRE ATTACK\r\nTactics Techniques\r\nCredential Access  Capture SMS Messages\r\nCollection Access Contact List, Location Tracking, Screen Capture\r\nDiscovery Application Discovery, System Information \r\nCommand and Control NonStandard Port \r\nSource: https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nhttps://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://labs.k7computing.com/index.php/an-upsurge-of-new-android-banking-trojan-zanubis/"
	],
	"report_names": [
		"an-upsurge-of-new-android-banking-trojan-zanubis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434627,
	"ts_updated_at": 1775791306,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1aa5c22f2810d88dd5acabd1965cddec13f0cfb2.pdf",
		"text": "https://archive.orkl.eu/1aa5c22f2810d88dd5acabd1965cddec13f0cfb2.txt",
		"img": "https://archive.orkl.eu/1aa5c22f2810d88dd5acabd1965cddec13f0cfb2.jpg"
	}
}