Android Banking Trojan Zanubis Evolves to Target Peruvian Users

The Android banking Trojan Zanubis has taken on a new guise, posing as the official app for the Peruvian governmental organization SUNAT (Superintendencia Nacional de Aduanas y de Administración Tributaria). 

Originally detected in August 2022, this malware targets financial and cryptocurrency users in Peru by impersonating legitimate Android apps. Zanubis tricks users into granting Accessibility permissions, effectively surrendering control of their devices.

What sets Zanubis apart is its increasing sophistication, explained a new advisory published by Kaspersky today. The Trojan utilizes the Obfuscapk obfuscator for Android APK files, making it challenging to detect.

Once it gains access to a victim’s device, it deceives them by loading a genuine SUNAT website using WebView, creating the illusion of legitimacy. The Trojan maintains communication with its controlling server through WebSockets and a library called Socket.IO, ensuring connectivity even in adverse conditions.

What’s particularly worrisome is Zanubis’s adaptability. Unlike typical malware with fixed target apps, Zanubis can be remotely programmed to steal data when specific apps are in use. Additionally, it establishes a second connection, potentially granting malicious actors complete control over a compromised device. To compound the threat, it can disable a device by masquerading as an Android update.

In the same advisory, Kaspersky researchers mentioned the discovery of a cryptor/loader called AsymCrypt, designed to target crypto wallets and distributed through underground forums. This evolved DoubleFinger loader variant serves as a gateway to the TOR network. Buyers customize its functionality, injecting malicious DLLs concealed within encrypted image blobs.

The Lumma stealer is another evolving malware lineage recently discovered by the security researchers. Previously known as Arkei, Lumma retains 46% of its original attributes. To infect a system, this malicious software camouflages itself as a file converter from .docx to .pdf, triggering its payload when files come back with a double extension of .pdf.exe.

Lumma primarily targets crypto wallets, stealing cached files, configuration files and logs. Its evolution includes system process list acquisition, altered communication URLs and advanced encryption techniques.

Read more on crypto-stealers: Satacom Malware Campaign Steals Crypto Via Stealthy Browser Extension

Tatyana Shishkova, a lead security researcher at Kaspersky’s GReAT (Global Research and Analysis Team), emphasized the dynamic nature of these threats and the importance of staying informed. 

“The ever-evolving landscape of malware, exemplified by the multifaceted Lumma stealer and the ambitions of Zanubis as a full-fledged banking Trojan, underscores the dynamic nature of these threats,” she said.

“Intelligence reports play a pivotal role in keeping abreast of the latest malicious tools and attacker techniques, empowering us to stay one step ahead in the ongoing battle for digital security.”

Kaspersky recommended various preventive measures, including offline backups, anti-ransomware tools and dedicated security solutions, to mitigate financially motivated threats.