Kaspersky Global Research and Analysis Team (GReAT) discovered a new version of the Zanubis mobile banking trojan targeting users in Peru. When Zanubis originally emerged in 2022, it mimicked PDF readers or Peru government organizations’ apps, and now in 2025 it disguises itself as two new apps – one of a local company in the energy sector and the other – of a local bank. With advanced social engineering techniques, users are persuaded to download and install these fake apps, which steal banking credentials and keys from digital or crypto wallets. Zanubis also performs keylogging and screen recording, among other functionality. Kaspersky detected over 130 victims in the latest campaign, and about 1,250 since the monitoring of this malware started.
On smartphones running
Android, apps can be installed from different stores, but they can also be
installed directly from APK files bypassing the stores. Zanubis made its way
onto victims’ smartphones through APK files. When mimicking the energy company,
the malicious APK is distributed under names such as “Boleta_XXXXXX.apk”
("Bill") or “Factura_XXXXXX.apk” ("Invoice"), deceiving
users into believing they are opening and verifying an alleged bill or invoice.
These apps pose as fake invoice verification tools, requiring users to install
them and enter their customer information in order to check for various
outstanding invoices. Meanwhile, when mimicking the bank, victims are tricked
into downloading the malware under the guise of instructions from a fake bank
advisor.
A fake form inside the app to verify invoices
Once the user downloads and launches any of the described APK files, a screen appears with the organization’s deceptively used logo, stating that necessary checks are in progress. The app requires the user to give accessibility permissions claiming that they are necessary for the app’s normal operation.
Screenshots of the malicious app requesting
accessibility permissions
Android accessibility
permissions grant apps the ability to interact with and control various aspects
of the device’s interface and functionality, primarily to assist users with
disabilities. When a malware app gains accessibility permissions, attackers can
covertly monitor and capture sensitive user data, such as passwords, messages,
and banking details, by reading screen content and notifications. This is
exactly what attackers behind Zanubis did to steal funds and get access to
other private information.
The threat actors
behind Zanubis are likely to be operating from Peru. There is consistent use of
Latin American Spanish in the code, and the attackers demonstrate knowledge of
Peruvian banking and government agencies.
“Zanubis has
demonstrated a clear evolution, transitioning from a simple banking Trojan to a
highly sophisticated and multi-faceted threat. Its focus remains on high-value
targets, particularly banks and financial institutions in Peru. The attackers
behind Zanubis show no signs of slowing down. They continue to adjust their
tactics, shifting distribution methods to ensure the malware reaches new
victims and executes silently. It is crucial for individual and corporate users
and to stay vigilant and boost their digital literacy levels, as well as use
trusted and proven security solutions, to avoid such threats,” commented
Leandro Cuozzo, Security Researcher with Kaspersky’s Global Research and
Analysis Team.
More information is
available in a report on Securelist.com.
To protect yourself
from mobile threats, Kaspersky recommends:
- Download apps only
from official app stores for smartphones, such as Apple App Store and Google
Play, but remember that even downloading apps from official stores is not
always risk-free. Kaspersky recently discovered SparkCat, the first
screenshot-stealing malware to bypass the App Store's security. The malware was
also found on Google Play, with a total of 20 infected apps across both
platforms, proving that these stores are not 100% foolproof.
- To stay safe, always
check app reviews, use only links from official websites, and install reliable
security software, like Kaspersky Premium, that can
detect and block malicious activity if an app turns out to be fraudulent.
- Check the permissions
of apps that you use and think carefully before permitting an app, especially
when it comes to high-risk permissions such as Accessibility Services.
- Update your operating
system and important apps as updates become available. Many safety issues can
be solved by installing updated versions of software.
About the Global Research &
Analysis Team
Established in 2008,
Global Research & Analysis Team (GReAT) operates at the very heart of
Kaspersky, uncovering APTs, cyber-espionage campaigns, major malware,
ransomware and underground cyber-criminal trends across the world. Today GReAT
consists of 30+ experts working globally – in Europe, Russia, Latin America,
Asia and the Middle East. Talented security professionals provide company
leadership in anti-malware research and innovation, bringing unrivaled
expertise, passion and curiosity to the discovery and analysis of cyberthreats.
