{
	"id": "fe104cfd-4fe0-4421-afa5-a63af2e8aea1",
	"created_at": "2026-04-06T00:06:37.648746Z",
	"updated_at": "2026-04-10T03:24:39.701591Z",
	"deleted_at": null,
	"sha1_hash": "c4922c3c858be6228065ee5998cecd2b74b413e1",
	"title": "Zanubis in motion: Tracing the active evolution of the Android banking malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 528132,
	"plain_text": "Zanubis in motion: Tracing the active evolution of the Android\r\nbanking malware\r\nBy Leandro Cuozzo\r\nPublished: 2025-05-28 · Archived: 2026-04-05 17:05:20 UTC\r\nIntroduction\r\nZanubis is a banking Trojan for Android that emerged in mid-2022. Since its inception, it has targeted banks and\r\nfinancial entities in Peru, before expanding its objectives to virtual cards and crypto wallets.\r\nThe main infection vector of Zanubis is impersonating legitimate Peruvian Android applications and then\r\nmisleading the user into enabling the accessibility permissions. Once these permissions are granted, the malware\r\ngains extensive capabilities that allow its operators to steal the user’s banking data and credentials, as well as\r\nperform remote actions and control the device without the user’s knowledge.\r\nThis Android malware is undergoing continuous development, and we have seen new samples extending their data\r\nexfiltration and remote-control functionality as well as new obfuscation methods and deceptive tactics. The threat\r\nactors behind Zanubis continue to refine its code – adding features, switching between encryption algorithms,\r\nshifting targets, and tweaking social engineering techniques to accelerate infection rates. These updates are often\r\naligned with recurring campaigns, suggesting a deliberate effort to keep the malware relevant and effective.\r\nTo understand how the Trojan reached its current stage, we need to look back at its origins and the early signs of\r\nwhat was to come. Join us in this blogpost as we take a closer look at the malware’s evolution over time.\r\n2022: From zero to threat\r\nZanubis was first observed in the wild around August 2022, initially targeting financial institutions and\r\ncryptocurrency exchange users in Peru. At the time of its discovery, the malware was distributed through apps\r\ndisguised as a PDF reader, using the logo of a well-known application to appear legitimate and lure victims into\r\ninstalling it.\r\nIn its early stages, Zanubis used to employ a much simpler and more limited approach compared to the\r\nfunctionality we would explore later. The malware retrieved its configuration and the package names of all the\r\ntargeted applications by reaching a hardcoded pastebin site and parsing its data in XML/HTML format.\r\nUpon startup, the malware would collect key information from the infected device. This included the contact list,\r\nthe list of installed applications, and various device identifiers, such as the manufacturer, model, and fingerprint.\r\nThe Trojan also performed specific checks to identify whether the device was a Motorola, Samsung, or Huawei,\r\nsuggesting tailored behavior or targeting based on brand.\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 1 of 13\n\nAdditionally, the malware attempted to collect and bypass battery optimization settings, likely to ensure it could\r\ncontinue running in the background without interruption. All of the gathered information was then formatted and\r\ntransmitted to a remote server using the WebSocket protocol. For that, Zanubis used a hardcoded initial URL to\r\nestablish communication and exfiltrate the collected data and also received a small set of commands from the C2\r\nserver.\r\nThe malware operated as an overlay-based banking Trojan that abused Android’s accessibility service. By\r\nleveraging accessibility permissions, the malware was able to run silently in the background, monitoring which\r\napplications were currently active on the device. When it detected that a targeted application was opened, it\r\nimmediately displayed a pre-generated overlay designed to mimic the legitimate interface. This overlay captured\r\nthe user’s credentials as they were entered, effectively stealing sensitive information without raising suspicion.\r\nZanubis targeted 40 banking and financial applications in Peru. The malware maintained a predefined list of\r\npackage names corresponding to these institutions, and used this list to trigger overlay attacks. This targeting\r\nstrategy reflected a focused campaign aimed at compromising users of financial services through credential theft.\r\nAt that point, the malware appeared to be under active development – code obfuscation had not yet been\r\nimplemented, making the samples fully readable upon decompilation. Additionally, several debugging functions\r\nwere still present in the versions captured in the wild.\r\n2023: Multi-feature upgrade\r\nIn April 2023, we identified a new campaign featuring a revamped version of Zanubis. This time, the malicious\r\npackage masqueraded as the official Android application of SUNAT (Superintendencia Nacional de Aduanas y de\r\nAdministración Tributaria), Peru’s national tax and customs authority. It copied both the name and icon of the\r\nlegitimate app, making it appear authentic to unsuspecting users.\r\nShift to obfuscation\r\nUnlike earlier versions, this variant introduced significant changes in terms of stealth. The code was fully\r\nobfuscated, making manual analysis and detection more difficult. After decompilation, it became clear that in\r\norder to sophisticate the malware analysis, the threat actors used Obfuscapk, a widely used obfuscation framework\r\nfor Android APKs. Obfuscapk combines multiple techniques, including a range of obfuscators and so-called\r\n“confusers”. These techniques vary in complexity: from basic measures like renaming classes, adding junk code,\r\nand replacing method signatures, to more advanced strategies such as code RC4 encryption and control-flow\r\nobfuscation. The goal was to hinder reverse engineering and slow down both static and dynamic analysis, giving\r\nthe operators more time to execute their campaigns undetected.\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 2 of 13\n\nJunk code (on the left) and renaming (on the right) obfuscation methods applied to the malicious implant\r\nOnce installed and executed, the malware began setting up its internal components, including various classes,\r\nfunctions, and the SharedPreferences object, which are essential for the Trojan’s operation. The latter typically\r\nstores sensitive configuration data such as C2 server URLs, encryption keys, API endpoints, and communication\r\nports.\r\nDeceptive tricks\r\nThroughout all versions of Zanubis, a key step in its execution flow has been to ensure it has accessibility service\r\npermissions, which are crucial for its overlay attacks and background monitoring. To obtain these, the malware\r\nchecks if it is running for the first time and whether the necessary permissions have been granted. If not, it\r\nemploys a deceptive tactic to manipulate the user into enabling them, a feature that varies between versions.\r\nIn the 2023 version, the malware displayed a fake instructional webpage using WebView, claiming that additional\r\npermissions were needed to view a document – a plausible excuse, given the app’s disguise as an official\r\napplication. On this page, a prominent button labeled “Ir a Accesibilidad” (“Go to Accessibility”) was presented.\r\nOnce tapped, the button triggered a redirection to the system’s Accessibility Settings screen or directly to the\r\nspecific panel for enabling accessibility features for the malicious app, depending on the device model.\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 3 of 13\n\nInstructions to trick the user into enabling Accessibility Permissions\r\nTranslation:\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 4 of 13\n\nThis trick relies heavily on social engineering, leveraging trust in the app’s appearance and the user’s lack of\r\nawareness about Android’s permission system. Once accessibility permissions are granted, the malware silently\r\nenables additional settings to bypass battery optimization, ensuring it can remain active in the background\r\nindefinitely, ready to execute its malicious functions without user intervention.\r\nWith background access secured, the malware loads a legitimate SUNAT website used by real users to check debts\r\nand tax information. By embedding this trusted page in a WebView, the app reinforces its disguise and avoids\r\nraising suspicion, appearing as a normal, functional part of SUNAT’s official services while continuing its\r\nmalicious activity in the background.\r\nData harvesting\r\nJust like earlier versions, the malware began by collecting device information and connecting to its C2 server to\r\nawait further instructions. Communication with the C2 API was encrypted with RC4 using a hardcoded key and\r\nBase64-encoded. Once initialization was complete, the malware entered a Socket.IO polling loop, sleeping for 10\r\nseconds between checks for incoming events emitted by the C2 server. This time, however, the list of available\r\ncommands had grown significantly, expanding the malware’s capabilities far beyond previous versions.\r\nWhen a targeted app was detected running on the device, this version of Zanubis took one of two actions to steal\r\nuser data, depending on its current settings. The first method involved keylogging by tracking user interface\r\nevents such as taps, focus changes, and text input, effectively capturing sensitive information like credentials or\r\npersonal data. These logs were stored locally and later sent to the C2 server upon request. Alternatively, Zanubis\r\ncould activate screen recording to capture everything the user did within the app, sending both visuals and\r\ninteraction data directly to the server.\r\nSMS hijacking\r\nAnother new feature introduced in this campaign is SMS hijacking, a critical technique for compromising bank\r\naccounts and services that rely on SMS for two-factor authentication. Once instructed by the C2 server, Zanubis\r\nset itself as the default SMS app on the device, allowing it to intercept all incoming messages via a custom\r\nreceiver. This gave the malware access to verification codes sent by banks and other sensitive services, and even\r\nthe ability to delete them before the user could see them, effectively hiding its activity.\r\nThese actions remained completely hidden from the user. Even if the user attempted to regain control and set their\r\ndefault SMS app back to normal, Zanubis would block that possibility.\r\nFake updates\r\nOne of the most invasive and deceptive behaviors exhibited by Zanubis was triggered through the\r\nbloqueoUpdate (“update lockout” in English) event, which simulated a legitimate Android system update. When\r\nactivated, the malware locked the device and prevented any normal interaction, rendering it almost completely\r\nunusable. Attempts to lock or unlock the screen were detected and locked, making it nearly impossible for the user\r\nto interrupt the process.\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 5 of 13\n\nBefore displaying the fake update overlay, the malware could send a warning notification claiming that an urgent\r\nupdate was about to be installed, advising the user not to interact with the device. This increased the credibility of\r\nthe ruse and reduced the chances of user interference.\r\nBehind this fake update, Zanubis continued operating silently in the background, performing malicious tasks such\r\nas uninstalling apps, intercepting SMS messages, changing system settings, and modifying permissions, all\r\nwithout the victim’s awareness.\r\nFake update blocking the user from making use of the phone\r\nTranslation:\r\n2024: Continuous development\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 6 of 13\n\nDuring 2024, we continued monitoring Zanubis on various resources, including third-party platforms. In early\r\nMay, we detected the appearance of new variants in the wild, particularly observed on VirusTotal. Over 30\r\nversions of the malware were uploaded from Peru, revealing the developer’s efforts to test and implement new\r\nfunctionalities and features into the malware.\r\nSamples uploaded to VirusTotal\r\nReinforced encryption\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 7 of 13\n\nIn these newer iterations of Zanubis, the developers implemented mechanisms to protect hardcoded strings,\r\naiming to complicate analysis and reduce detection rates. The threat actors used a key derived via PBKDF2 to\r\nencrypt and decrypt strings on-the-fly, relying on AES in ECB mode. This method allowed the implant to keep\r\ncritical strings hidden during static analysis, only revealing them when needed during execution.\r\nSource strings were not the only data encrypted in these new implants. The communication between the C2 and\r\nthe malware was also protected using AES in ECB mode, which indicates a shift from the use of RC4 in previous\r\nsamples. Unlike the hardcoded key used for string encryption, in this case, a new 32-byte key was randomly\r\ngenerated each time data was about to be sent.\r\nDevice credential stealing\r\nAmong the most critical actions performed by this version of Zanubis was the theft of device credentials. Once\r\nactive in the background, the malware constantly monitored system events triggered by other applications. When\r\nit detected activity related to authentication that needed the input of a PIN, password, or pattern, it attempted to\r\nidentify the type of authentication being used and captured the corresponding input.\r\nThe malware monitored specific signals that indicated the user was interacting with the lock screen or a secure\r\ninput method. When these were identified, the malware actively collected the characters entered or gestures used.\r\nIf it detected that the input was invalid, it reset the authentication tracking to avoid storing invalid data. Once the\r\ninput process was completed and the user moved on, the malware sent the collected credentials to the C2 server.\r\nDevice credentials collected by Zanubis\r\nExpanding scope\r\nThis version of the malware continued to target banking applications and financial institutions in Peru, expanding\r\nits reach to include virtual card providers, as well as digital and cryptocurrency wallets. This update added 14 new\r\ntargeted applications, increasing the scope of its attacks and broadening the range of financial services it can\r\nexploit.\r\n2025: Latest campaign\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 8 of 13\n\nIn mid-January of 2025, we identified new samples indicating an updated version of Zanubis. The updates range\r\nfrom changes in the malware distribution and deception strategy to code modifications, new C2 commands, and\r\nimproved filtering of target applications for credential theft.\r\nNew distribution tactics\r\nZanubis previously impersonated Peru’s tax authority, SUNAT. However, in this new campaign, we have\r\nidentified two new Peruvian entities being spoofed: a company in the energy sector and a bank that was not\r\npreviously abused.\r\nThe Trojan initially disguises itself as two legitimate apps from the targeted companies, each crafted to exploit a\r\nspecific user need. For the energy company, the malicious APK is distributed under names like\r\n“Boleta_XXXXXX” (“bill”) or “Factura_XXXXXX” (“invoice”), deceiving users into believing they are\r\nverifying a supposed bill or invoice.\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 9 of 13\n\nFake screen designed to verify invoices\r\nMeanwhile, for the bank, victims are enticed to download the malware under the guise of instructions from a fake\r\nbank advisor. This setup acts as the initial dropper for the malware, using familiar, trusted contexts to ensure\r\nsuccessful installation.\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 10 of 13\n\nFollow your advisor’s instructions message from the fake bank app\r\nSilent installation\r\nOnce the user downloads and launches the lure app, a screen appears with the company’s logo, stating that\r\nnecessary checks are in progress. Meanwhile, in the background, the dropper attempts to silently install the final\r\npayload, Zanubis, which is embedded in the initial malware’s internal resources ( res/raw/ ). To retrieve the\r\nAPK, the dropper leverages the PackageInstaller class. This installation process occurs without any user\r\ninvolvement, as there are no prompts or warnings to alert the victim. By utilizing PackageInstaller , the\r\nmalware writes the APK to the device in the background and completes the installation automatically, unnoticed.\r\nThis technique is employed to evade detection. After installation, an intent is sent to signal that the package has\r\nbeen successfully installed.\r\nSharpening targets\r\nIn the latest iteration of the malware, the scope of targeted entities has been significantly narrowed, with a clear\r\nfocus on banks and financial institutions. The once-broad range of targets, including cryptocurrency wallets, has\r\nbeen abandoned.\r\nThis strategic shift suggests an intention to streamline the attack efforts and concentrate on sectors that manage the\r\nmost sensitive and valuable data, such as banking credentials and financial transactions. By honing in on these\r\nhigh-stakes targets, the malware becomes even more dangerous, as it now focuses on the most lucrative avenues\r\nfor cybercriminals.\r\nWho’s behind?\r\nBased on our ongoing analysis of Zanubis, several indicators suggest that the threat actors behind the malware\r\nmay be operating from Peru. These indicators include, for instance, the consistent use of Latin American Spanish\r\nin the code, knowledge of Peruvian banking and government agencies, and telemetry data from our systems and\r\nVirusTotal.\r\nThe focus on Peruvian entities as targets also strongly indicates that the threat actors behind Zanubis are likely\r\nbased in Peru. These regional indicators, combined with the malware’s ongoing financial fraud campaigns, point\r\nto a well-organized operation focused on exploiting local institutions.\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 11 of 13\n\nConclusions\r\nZanubis has demonstrated a clear evolution, transitioning from a simple banking Trojan to a highly sophisticated\r\nand multi-faceted threat. The malware has been continuously refined and enhanced, incorporating new features\r\nand capabilities. Its focus remains on high-value targets, particularly banks and financial institutions in Peru,\r\nmaking it a formidable adversary in the region.\r\nFurthermore, the attackers behind Zanubis show no signs of slowing down. They continue to innovate and adjust\r\ntheir tactics, shifting distribution methods to ensure the malware reaches new victims and executes silently. This\r\nconstant refinement demonstrates that Zanubis is not a transient threat but an ongoing, persistent menace, capable\r\nof further mutations to fulfill the financial goals of its developers.\r\nAs Zanubis continues to evolve and adapt, it is crucial for users and organizations alike to stay vigilant. The threat\r\nlandscape is constantly changing, and this malware’s ability to evolve and target new victims makes it an ever-present risk that cannot be ignored.\r\nIndicators of compromise\r\nZanubis 2025 version\r\n81f91f201d861e4da765bae8e708c0d0\r\nfd43666006938b7c77b990b2b4531b9a\r\n8949f492001bb0ca9212f85953a6dcda\r\n45d07497ac7fe550b8b394978652caa9\r\n03c1e2d713c480ec7dc39f9c4fad39ec\r\n660d4eeb022ee1de93b157e2aa8fe1dc\r\n8820ab362b7bae6610363d6657c9f788\r\n323d97c876f173628442ff4d1aaa8c98\r\nb3f0223e99b7b66a71c2e9b3a0574b12\r\n7ae448b067d652f800b0e36b1edea69f\r\n0a922d6347087f3317900628f191d069\r\n0ac15547240ca763a884e15ad3759cf1\r\n1b9c49e531f2ad7b54d40395252cbc20\r\n216edf4fc0e7a40279e79ff4a5faf4f6\r\n5c11e88d1b68a84675af001fd4360068\r\n628b27234e68d44e01ea7a93a39f2ad3\r\n687fdfa9417cfac88b314deb421cd436\r\n6b0d14fb1ddd04ac26fb201651eb5070\r\n79e96f11974f0cd6f5de0e7c7392b679\r\n84bc219286283ca41b7d229f83fd6fdc\r\n90221365f08640ddcab86a9cd38173ce\r\n90279863b305ef951ab344af5246b766\r\n93553897e9e898c0c1e30838325ecfbd\r\n940f3a03661682097a4e7a7990490f61\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 12 of 13\n\n97003f4dcf81273ae882b6cd1f2839ef\r\na28d13c6661ca852893b5f2e6a068b55\r\nb33f1a3c8e245f4ffc269e22919d5f76\r\nbcbfec6f1da388ca05ec3be2349f47c7\r\ne9b0bae8a8724a78d57bec24796320c0\r\nfa2b090426691e08b18917d3bbaf87ce\r\nSource: https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nhttps://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/\r\nPage 13 of 13",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://securelist.com/evolution-of-zanubis-banking-trojan-for-android/116588/"
	],
	"report_names": [
		"116588"
	],
	"threat_actors": [
		{
			"id": "77b28afd-8187-4917-a453-1d5a279cb5e4",
			"created_at": "2022-10-25T15:50:23.768278Z",
			"updated_at": "2026-04-10T02:00:05.266635Z",
			"deleted_at": null,
			"main_name": "Inception",
			"aliases": [
				"Inception Framework",
				"Cloud Atlas"
			],
			"source_name": "MITRE:Inception",
			"tools": [
				"PowerShower",
				"VBShower",
				"LaZagne"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775433997,
	"ts_updated_at": 1775791479,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c4922c3c858be6228065ee5998cecd2b74b413e1.pdf",
		"text": "https://archive.orkl.eu/c4922c3c858be6228065ee5998cecd2b74b413e1.txt",
		"img": "https://archive.orkl.eu/c4922c3c858be6228065ee5998cecd2b74b413e1.jpg"
	}
}