Zanubis: New Android Banking Trojan spotted in the wild

Overlay-Based Banking Trojan targets Peruvian banks and Social Media Applications

Cyble Research and Intelligence Labs (CRIL) has been tracking the activities of various Android Banking Trojans such as Hydra, Ermac, and Amextroll, amongst several others. During a routine threat-hunting exercise, we came across a Twitter post where a researcher mentioned a malware sample. After an in-depth analysis, the malware was identified as a new Android Banking Trojan variant targeting over 40 applications from Peru.

The Threat Actor (TA) uses the string “Zanubis” as a key to decrypt responses received from the Command and Control (C&C) server. Hence, we will refer to  this unidentified malware variant as “Zanubis.”

Figure 1 – Decryption key used by TA

Zanubis malware pretends to be a PDF application to appear legitimate and target banks in Peru, as well as two social media apps, WhatsApp and Gmail, at the time of our analysis.

However, the overlay screen for these social media applications is not implemented by TAs at the moment. Still, we can expect them to do so soon as the app is under development.

Technical Analysis

APK Metadata Information   

  • App Name: Personal.pdf
  • Package Name: com.personal.pdf
  • SHA256 Hash: 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57


Figure 2 shows the metadata information of the application.  

Figure 2 – App Metadata Information 

Manifest Description

The malicious application mentions 30 permissions in the manifest file, out of which the TA exploits 10. The harmful permissions requested by the malware are:  

Permission  Description 
READ_CONTACTSAccess phone contacts
RECEIVE_SMSAllows an application to receive SMS messages
READ_SMSAccess phone messages
CAMERARequired to access the camera device.
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
RECORD_AUDIOAllows the app to record audio with the microphone, which the attackers can misuse
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
CALL_PHONEAllows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call
SEND_SMSAllows an application to send SMS messages
SYSTEM_ALERT_WINDOWAllows an app to create windows on top of all other apps

Source Code Review  

After installation, the malicious application prompts the user to grant the Battery Optimization permission, followed by the Accessibility (a11y) Service. Once the user turns on the Accessibility Service, the malware abuses a11y to prevent uninstallation and the auto-granting of permissions.

When the Accessibility Service is turned on, the malware connects to the C&C server hxxp://92.38.132[.]217:8000 and receives the list of targeted applications with the overlay URLs.

Figure 3 – Malware receiving the list of targeted applications

After receiving the targeted application list and overlay URL, the malware decrypts the response and saves the decrypted data into the shared preference file “cc638784cf213986ec75983a4aa08cda.xml,” as shown in the below image.

Figure 4 – Shared preference file storing decrypted response

The malware further sends the list of installed applications, contact list, SMS permission status, and basic device information to the C&C server to identify the targeted application to carry out an overlay attack.

Figure 5 – Malware sending the encrypted list of installed applications

The code shown in the below figure is executed after receiving the command config_packages from the C&C server. The malware decrypts the list of targeted applications, verifies the package name with the installed application package name, and sends it to the C&C server with the tag “tagets_find.”

Figure 6 – Verifying target application

Whenever the user tries to interact with the targeted application, the onAccessibilityEvent() method checks the package name of the currently running app with the list of targeted applications present in the shared preference file. It then fetches the overlay URL and creates an overlay window over the targeted application, as shown in the below image.

Figure 7 – Malware creating overlay window on the target application

The SocketCon class is responsible for connecting to the C&C server, receiving commands, and executing operations. The commands used by the malware are:

Command Description 
config_packagesReceives the list of the targeted application
eliminar_appReceives the Boolean number to perform an action on setting or package installer app
desinstalar_appReceives the target application package name to uninstall
bloquear_telefonoReceives Boolean value to lock device
pedir_tokeNot Implemented
notificacionReceives the notification and displays on the victim’s device
enviar_smsSends the SMS from an infected device
permiso_contactosReceives the Boolean value to prompt the user to grant contact permission
rev_permiso_smsAllowing the user to change the default SMS application
permiso_smsSetting malicious applications as the default SMS application
desbloquear_packageReceives the application package name to remove the target application from the shared preference list

The malware receives the command “enviar_sms” from the C&C server with a mobile number and a message body to send an SMS from an infected device. The TA can leverage this technique to spread the malware to infect more devices.  

Figure 8 – Malware sending SMS from an infected device

Below is the list of applications targeted by the malware:

Package name Application name APP Perú de la Nación
com.mibanco.bancamovilMibanco App Perú
com.bcp.innovacxion.yapeappYape Falabella Perúóvil Caja Sullana Móvil BCP
pe.pichincha.bmAPP Banco Pichincha Perú
com.cajahuancayo.cajahuancayo.appcajahuancayoCAJA HUANCAYO
pe.cajapiura.bancamovilCaja Piura App
com.cmacica.prdCaja Ica App
pe.interbank.bieInterbank Empresas Empresas, Perúédito Móvil BCP
com.alfinbanco.appclientesAlfin Banco de Comercio
com.bm_gnb_peBanca Móvil Banco GNB Perú
com.whatsappWhatsApp Messenger
com.ripley.banco.peruBanco Ripley Perú
com.zoluxiones.officebankingBanco Santander Perú S.A.
com.cmac.cajamovilaqpCaja Arequipa Móvil móvil CML App
com.caja.myapplicationCaja del Santa
com.cajamaynas.cajamaynasCaja Maynas
com.cajatacna.droidCaja Tacna App
com.appcajatrujilloCaja Trujillo Móvil Tarjeta Cencosud Centro Movil Digital Móvil Perú
pe.confianza.bancamovilApp de Financiera Confianza
com.credinkamovil.peCredinka en Línea Financiera
com.efectivadigital.appclientesEfectiva Tu Financiera
pe.solera.tarjetaohTarjeta oh!


According to our research, Zanubis uses a similar overlay-based attack as we have observed in other banking trojan families to steal the credentials of the targeted application.

The malware is still under development as some mentioned commands are not yet implemented, and the overlay URLs for a few targeted applications are missing. In the coming days, we may see a new variant of this malware with new TTPs and targets.

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

How to prevent malware infection? 

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

How to identify whether you are infected? 

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 

What to do when you are infected? 

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. 
  • Perform a factory reset. 
  • Remove the application in case a factory reset is not possible. 
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 

What to do in case of any fraudulent transaction? 

  • In case of a fraudulent transaction, immediately report it to the concerned bank. 

What should banks do to protect their customers? 

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques 

TacticTechnique IDTechnique Name
Initial AccessT1476Deliver Malicious App via Other Mean.
Initial AccessT1444Masquerade as Legitimate Application
CollectionT1412Capture SMS Messages
CollectionT1432Access Contacts List
CollectionT1517Access Notifications
CollectionT1533Data from Local System
ExfiltrationT1437Standard Application Layer Protocol
CollectionT1436Commonly used port
Input captureT1417Input capture

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDescription
0198b8fa11bf9e8442defa00befa2ab224ada5ebb4a60256f2bf5fc491cca0a1SHA256Hash of the analyzed APK file
93be818f6087423909594f5630b67cf0ddcf71b6SHA1Hash of the analyzed APK file 
0b3248698651c68aa79c128c26df6f5cMD5Hash of the analyzed APK file
33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57SHA256Hash of the analyzed APK file
2128c991887a80152ca36689be503eaa6afc1b1fSHA1Hash of the analyzed APK file 
8f78df9b128eb2b0fb576269bba6a9fbMD5Hash of the analyzed APK file
95242e1d105de9c33b2c9d8a9514f58327ca32d7d24af9af19ff3f0d075ea451SHA256Hash of the analyzed APK file
74c03b47d0449e08ef9e645e79aaada5e0aedc9dSHA1Hash of the analyzed APK file 
e7495ddd6f4e5c686c2ee68b3db91f9bMD5Hash of the analyzed APK file
hxxp://92.38.132[.]217:8000URLC&C server

Comments are closed.

Scroll to Top