Zanubis Banking Trojan

The Zanubis Trojan is a malware threat targeting Android devices. Analysis of the threat has revealed that it falls into the category of banking Trojans, hurtful threats designed to stealthily collect victims' banking credentials. Afterward, the operators of the threat can access the compromised accounts and siphon the victims' funds out to their own accounts. Zanubis appears to be targeting mainly Android users using Latin American banks, with most infections taking place in Peru. 

Like most banking Trojans, Zanubis also exploits the Android Accessibility Services to perform its threatening operations. This legitimate Android feature is designed to help users with disabilities have an easier and more fulfilling time operating their smart devices. Android Accessibility Services can simulate pressing buttons on the touchscreen, read the information on the screen, and assist with other similar actions. Zanubis uses fake overlay screens to mimic the login pages of the targeted banks. Users input their banking credentials (IDs, emails, passwords, usernames, OTP (one-time passwords), etc.) without realizing that the threat will collect all of the provided information and transmit it to its operators. 

In addition, Zanubis collects various device details, including manufacturer, device's model, list of installed applications, the victim's contact list, fingerprints and more. The banking Trojan also can obtain battery permissions, as a way to avoid being forcibly put into 'sleep' mode if users activate any battery optimization processes. The operators of Zanubis can also use the threat to send SMS messages or show chosen notifications to the victims. They may even delete specific applications or lock the screen of the compromised device.