Zanubis
Zanubis is a Peruvian Android banking trojan that evolved from a simple overlay banker targeting local financial institutions to a sophisticated multi-faceted threat impersonating government services. Kaspersky first covered the family in a September 2023 crimeware report and published a detailed evolution analysis in March 2025 documenting its expansion from 40 banking app targets to government agency impersonation, including spoofing SUNAT (Peru's national tax authority).
Overview
| Attribute |
Details |
| First Seen |
2022 |
| Last Seen |
Active (ongoing campaigns) |
| Status |
Active, expanding target scope |
| Type |
Banking trojan with overlay attacks and ATS |
| Attribution |
Unknown; operations focused on Peru |
| Aliases |
None known |
Vendor Names
| Vendor |
Name |
| Kaspersky |
HEUR:Trojan-Banker.AndroidOS.Zanubis |
| ESET |
Android/Spy.Banker.Zanubis |
| McAfee |
Android/Zanubis |
Origin and Lineage
Zanubis is independently developed with no direct code connection to other documented families. It is one of the few banking trojans specifically targeting the Peruvian financial sector, operating in the same Latin American space as PixPirate (Brazil) and ToxicPanda (originally Southeast Asia, expanded to LATAM).
Evolution
| Phase |
Period |
Capabilities |
| Initial |
2022 |
Basic overlay banker targeting Peruvian banking apps |
| Expansion |
2023 |
Added government app impersonation, broader targeting |
| Mature |
2024-2025 |
Full ATS, SUNAT spoofing, energy sector expansion |
Distribution
| Vector |
Details |
| Smishing |
SMS messages impersonating SUNAT (tax authority) with fake tax notices |
| Fake government apps |
APKs disguised as SUNAT official applications |
| Fake banking apps |
APKs impersonating Peruvian banking apps |
| Social engineering |
Urgency-based lures about tax penalties and legal obligations |
The government impersonation distribution is particularly effective in Peru, where SUNAT communications carry legal weight. Users receiving what appears to be an official tax notice are motivated to install the "SUNAT app" to resolve the supposed issue.
Capabilities
| Capability |
Description |
| Overlay attacks |
Credential phishing overlays over 40+ banking apps |
| ATS (Automated Transfer Systems) |
Automated fund transfers via accessibility service |
| Keylogging |
Accessibility-based keystroke capture |
| SMS interception |
Reads and intercepts OTP codes |
| Screen recording |
Records device screen during banking sessions |
| Contact exfiltration |
Uploads contact list for targeting |
| App impersonation |
Disguises as SUNAT tax authority app |
| Persistence |
Prevents uninstallation via accessibility |
Permissions
Technical Details
Overlay Injection
Zanubis uses standard overlay attack techniques:
- Monitors foreground app changes via accessibility service
- Matches against a target list of 40+ Peruvian banking and financial apps
- Displays WebView-based phishing overlays matching the target app's login screen
- Captured credentials sent to C2
SUNAT Impersonation
The government impersonation component displays a convincing SUNAT interface while the malware operates in the background. The fake SUNAT app:
- Shows official SUNAT branding and color scheme
- Displays fake tax documents and payment forms
- Requests personal information (DNI, RUC tax numbers)
- Runs banking overlay monitoring in the background
C2 Communication
- HTTP-based C2 with JSON payloads
- WebSocket connections for real-time operator control during ATS operations
- Configuration and target list updates from C2
- Encrypted exfiltration of captured credentials
Target Regions
| Region |
Details |
| Peru |
Primary and near-exclusive target |
Target institutions include major Peruvian banks (BCP, BBVA Peru, Interbank, Scotiabank Peru) and government services (SUNAT). The narrow geographic focus parallels PixPirate's Brazil-exclusive targeting and Copybara's Italy-focused operations.
Notable Campaigns
2022: Zanubis first appears targeting Peruvian banking customers with basic overlay attacks.
2023, September: Kaspersky includes Zanubis in a crimeware report alongside ASMCrypt and Lumma, documenting its initial technical capabilities.
2024-2025: Zanubis evolves significantly. Kaspersky publishes a full evolution analysis documenting the transition from simple banking overlay trojan to a sophisticated threat with SUNAT government impersonation, energy sector targeting, and ATS capabilities. The target list expands to 40+ financial apps.
C2 Infrastructure
| Component |
Details |
| Primary protocol |
HTTP with JSON payloads |
| Real-time channel |
WebSocket for operator-controlled ATS sessions |
| Configuration |
Target app list and overlay templates delivered from C2 |
| Credential exfiltration |
Encrypted POST requests to C2 |
| Command polling |
Regular interval polling for new instructions |
Detection
| Indicator Type |
Details |
| SUNAT impersonation |
App using official SUNAT branding, requesting tax identifiers (DNI, RUC) |
| Accessibility abuse |
App requesting accessibility with no legitimate UI-assistance purpose |
| Overlay activity |
WebView-based windows rendered over Peruvian banking applications |
| Target app monitoring |
Continuous foreground app monitoring via accessibility events |
| ATS behavior |
Automated navigation through banking app transfer flows |
| Peruvian focus |
Hardcoded references to BCP, BBVA Peru, Interbank, Scotiabank Peru, and SUNAT |
| Family |
Relationship |
| PixPirate |
Both target a single Latin American country exclusively (Zanubis targets Peru, PixPirate targets Brazil). Both implement ATS for automated fraud. |
| ToxicPanda |
Both use ATS capabilities for automated fund transfers, though ToxicPanda originated in Southeast Asia before expanding to LATAM and Europe. |
| Copybara |
Both demonstrate the pattern of country-specific banking trojans with narrow geographic focus and deep local targeting. |
| GodFather |
Zanubis's overlay injection approach follows the standard model established by earlier families like GodFather and Anubis. |
References