Zanubis Android Banking Trojan Poses as Peruvian Government App to Target Users

Cyber Security Threat Summary:
An emerging Android banking trojan called Zanubis is now masquerading as a Peruvian government app to trick unsuspecting users into installing the malware. ‘Zanubis's main infection path is through impersonating legitimate Peruvian Android applications and then tricking the user into enabling the Accessibility permissions in order to take full control of the device,’ Kaspersky said in an analysis published last week. Zanubis, originally documented in August 2022, is the latest addition to a long list of Android banker malware targeting the Latin American (LATAM) region. Targets include more than 40 banks and financial entities in Peru. It's mainly known for abusing accessibility permissions on the infected device to display fake overlay screens atop the targeted apps in an attempt to steal credentials. it's also capable of harvesting contact data, list of installed apps, and system metadata. Kaspersky said it observed recent samples of Zanubis in the wild in April 2023, operating under the guise of the Peruvian customs and tax agency named Superintendencia Nacional de Aduanas y de Administración Tributaria (SUNAT). Installing the app and granting it accessibility permissions allows it to run in the background and load the genuine SUNAT website using Android's WebView to create a veneer of legitimacy. It maintains connections to an actor-controlled server to receive next-stage commands over WebSockets” (The Hacker News, 2023).

Security Officer Comments:
If the victim enables the accessibility permissions, Zanubis will use permissions to monitor for applications being opened on the device and compare them to a list of targeted applications. If a match is found, the banking trojan will log keystrokes and record the screen to siphon credentials which can be used to log in and steal funds from victims’ bank accounts. According to Kaspersky, a notable feature of Zanubis is its ability to masquerade as an Android operating system update. “As the 'update' runs, the phone remains unusable to the point that it can't be locked or unlocked, as the malware monitors those attempts and blocks them,” noted researchers at Kaspersky.

Suggested Correction(s):
When installing applications from the Play Store, looking at the user reviews and ratings can help determine the authenticity of the application. Furthermore, certain apps will request more permissions than required to function as intended. In general, it’s important to avoid installing such applications as threat actors can use these permissions to take control of devices and access confidential data.