Zanubis Malware Evolves: New Android Threat Targets Banks, Crypto & More in Latin America!

The Zanubis malware, purpose-built for Android-based devices, continues its relentless evolution, emerging as one of the most sophisticated cyber threats in Latin America. Originally crafted to target banking institutions exclusively, it has since broadened its scope to include virtual cards and cryptocurrency wallets, adapting its attack vectors to align with the region’s growing digital infrastructure.

According to Kaspersky Lab, the malware is disseminated under the guise of legitimate Peruvian applications, deceiving users into granting elevated permissions through Android’s Accessibility Services. Once these privileges are obtained, Zanubis gains the ability to intercept data, log keystrokes, remotely control the device, and surreptitiously execute commands issued by its operators.

Since its initial detection in August 2022—when it masqueraded as a PDF viewer—Zanubis’s capabilities have expanded dramatically. Even at that early stage, the malware successfully targeted over forty financial applications in Peru using overlay screens that mimicked legitimate banking interfaces to harvest login credentials.

In 2023, the malware was spotted impersonating the official app of Peru’s tax authority, SUNAT. Threat actors employed advanced obfuscation tools such as Obfuscapk to hinder malware analysis and introduced RC4 encryption to secure communications with the command-and-control server. They also crafted counterfeit instructional web pages to convince users to enable suspicious permissions.

By 2024, Zanubis had adopted new stealth techniques. It incorporated AES encryption in ECB mode, real-time string decryption using PBKDF2-based keys, and the ability to intercept input on the lock screen. Simultaneously, it introduced screen recording capabilities and a module that simulated system updates, effectively locking users out of their devices while malicious operations were conducted in the background.

The latest update in 2025 has rendered the malware even more insidious. It now leverages the PackageInstaller class to silently install applications without user awareness. Its primary objective is the theft of sensitive data from banks, energy providers, and other critical sectors of the Peruvian economy. To this end, attackers distribute tailored “documents”—forged invoices and fake advisories purportedly issued by financial consultants.

Kaspersky Lab notes that the threat actors exhibit a profound understanding of regional dynamics and fluency in Latin American Spanish, strongly suggesting a local origin. All indicators point to a meticulously targeted operation, designed to maximize data exfiltration while minimizing the risk of detection.

Zanubis stands as a persistent and formidable cyber threat, underscoring the urgent need for continuous digital hygiene among both individuals and organizations. Combating such threats demands not only technical safeguards but also unwavering vigilance against all forms of social engineering.