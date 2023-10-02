A banking trojan emerged recently for Android called Zanubis which has the “behavior” of “disguising” itself as a Peruvian government application to trick unsuspecting users into installing malware.

What experts know about Zanubis

“The main route of infection of Zanubis is through imitation [cioè spacciarsi per le medesime app con grafica simile] of legitimate Peruvian Android applications and then tricking the user to enable accessibility permissions in order to take full control of the device“, has declared Kaspersky in an analysis published last week.

Zanubis, initially documented in August of the year 2022, it is the latest addition to a long list of malware banking for Android that targets the southern part of the American continent; the targets include more than 40 banks and various financial entities in Peru.

It is mainly known to abuse accessibility permissions on the infected device to display fake overlay screens over targeted apps in an attempt to steal credentials. It can also collect contact data, lists of installed apps, and system metadata.

Kaspersky claimed to have seen

recent samples of Zanubis in circulation as of April 2023, operating under the guise of the Peruvian customs and tax agency called Superintendencia Nacional de Aduanas y de Administración Tributaria (SUNAT).

Installing the app and assigning accessibility permissions allows it to run in the background and load SUNAT’s genuine website using Android’s WebView to create a veneer of legitimacy. Maintains connections to an actor-controlled server to receive next-step commands via WebSockets.

Permissions are further leveraged to keep an eye on open apps on the device and compare them to a list of targeted apps. If an application in the list is launched, Zanubis proceeds to record keystrokes or record the screen to steal sensitive data.

A RAT different from the others

What sets Zanubis apart and makes it more powerful is its ability to pretend to be an Android OS update, effectively rendering the device unusable.

“While the update comes [virtualmente] “executed”, the phone remains unusable until the point where it cannot be locked or unlocked, as the malware monitors those attempts [di bloccare o sbloccare il telefono] and blocks them“, Kaspersky announced.

The development comes as AT&T Cybersecurity detailed another Android-based remote access trojan (RAT) called MMRatwhich can capture user input and screen content, as well as commands and control.

“RATs are a popular choice for hackers due to their many capabilities, from reconnaissance and data extraction to long-term persistence“, has declared the cybersecurity company Kaspersky.

Conclusion

In summary, Zanubis is a dangerous Android banking trojan that is spreading through deception and using legitimate Peruvian apps as bait for users.

This malware mainly targets financial institutions in Peru, trying to steal sensitive data and banking information from victims; its ability to pretend to be an Android OS update makes it particularly insidious, as it can render devices virtually unusable.

Although it will be very difficult for this cyber threat to arrive in Italy, always choose download sources carefully and avoid downloading apps from untrusted sources or suspicious websites; try to use official store sources such as the Google Play Store to download applications, as little as possible third-party stores or sources unless they are guaranteed sources (like F-Droid for example).