New Android Banking Trojan Zanubis Spotted In The Wild.
Cyble Research and Intelligence Labs (CRIL) has been tracking the activities of various Android Banking Trojans such as Hydra, Ermac, and Amextroll, amongst several others. During a routine threat-hunting exercise, we came across a Twitter post where a researcher mentioned a malware sample. After an in-depth analysis, the malware was identified as a new Android Banking Trojan variant targeting over 40 applications from Peru.
The Threat Actor (TA) uses the string “Zanubis” as a key to decrypt responses received from the Command and Control (C&C) server. Hence, we will refer to this unidentified malware variant as “Zanubis.”
Zanubis malware pretends to be a PDF application to appear legitimate and target banks in Peru, as well as two social media apps, WhatsApp and Gmail, at the time of our analysis.
However, the overlay screen for these social media applications is not implemented by TAs at the moment. Still, we can expect them to do so soon as the app is under development.
Technical Analysis
APK Metadata Information
- App Name: Personal.pdf
- Package Name: com.personal.pdf
- SHA256 Hash: 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57
Figure 2 shows the metadata information of the application.
Manifest Description
The malicious application mentions 30 permissions in the manifest file, out of which the TA exploits 10. The harmful permissions requested by the malware are:
| Permission | Description |
| READ_CONTACTS | Access phone contacts |
| RECEIVE_SMS | Allows an application to receive SMS messages |
| READ_SMS | Access phone messages |
| CAMERA | Required to access the camera device. |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which the attackers can misuse |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call |
| SEND_SMS | Allows an application to send SMS messages |
| SYSTEM_ALERT_WINDOW | Allows an app to create windows on top of all other apps |
Source Code Review
After installation, the malicious application prompts the user to grant the Battery Optimization permission, followed by the Accessibility (a11y) Service. Once the user turns on the Accessibility Service, the malware abuses a11y to prevent uninstallation and the auto-granting of permissions.
When the Accessibility Service is turned on, the malware connects to the C&C server hxxp://92.38.132[.]217:8000 and receives the list of targeted applications with the overlay URLs.
After receiving the targeted application list and overlay URL, the malware decrypts the response and saves the decrypted data into the shared preference file “cc638784cf213986ec75983a4aa08cda.xml,” as shown in the below image.
The malware further sends the list of installed applications, contact list, SMS permission status, and basic device information to the C&C server to identify the targeted application to carry out an overlay attack.
The code shown in the below figure is executed after receiving the command config_packages from the C&C server. The malware decrypts the list of targeted applications, verifies the package name with the installed application package name, and sends it to the C&C server with the tag “tagets_find.”
Whenever the user tries to interact with the targeted application, the onAccessibilityEvent() method checks the package name of the currently running app with the list of targeted applications present in the shared preference file. It then fetches the overlay URL and creates an overlay window over the targeted application, as shown in the below image.
The SocketCon class is responsible for connecting to the C&C server, receiving commands, and executing operations. The commands used by the malware are:
| Command | Description |
| config_packages | Receives the list of the targeted application |
| eliminar_app | Receives the Boolean number to perform an action on setting or package installer app |
| desinstalar_app | Receives the target application package name to uninstall |
| bloquear_telefono | Receives Boolean value to lock device |
| pedir_toke | Not Implemented |
| notificacion | Receives the notification and displays on the victim’s device |
| enviar_sms | Sends the SMS from an infected device |
| permiso_contactos | Receives the Boolean value to prompt the user to grant contact permission |
| rev_permiso_sms | Allowing the user to change the default SMS application |
| permiso_sms | Setting malicious applications as the default SMS application |
| desbloquear_package | Receives the application package name to remove the target application from the shared preference list |
The malware receives the command “enviar_sms” from the C&C server with a mobile number and a message body to send an SMS from an infected device. The TA can leverage this technique to spread the malware to infect more devices.
Below is the list of applications targeted by the malware:
| Package name | Application name |
| pe.com.interbank.mobilebanking | Interbank APP |
| pe.com.scotiabank.blpm.android.client | Scotiabank Perú |
| pe.com.bn.app.bancodelanacion | Banco de la Nación |
| com.mibanco.bancamovil | Mibanco |
| pe.com.banBifBanking.icBanking.androidUI | BanBif App |
| com.bbva.nxt_peru | BBVA Perú |
| com.bcp.innovacxion.yapeapp | Yape |
| per.bf.desa | Banco Falabella Perú |
| com.pe.cajasullana.cajamovil | Móvil Caja Sullana |
| com.bcp.bank.bcp | Banca Móvil BCP |
| pe.pichincha.bm | APP Banco Pichincha Perú |
| com.cajahuancayo.cajahuancayo.appcajahuancayo | CAJA HUANCAYO |
| pe.cajapiura.bancamovil | Caja Piura App |
| com.cmacica.prd | Caja Ica App |
| pe.interbank.bie | Interbank Empresas |
| pe.com.scotiabank.businessbanking | Scotiabank Empresas, Perú |
| com.bcp.bank.tlc | Telecrédito Móvil BCP |
| com.alfinbanco.appclientes | Alfin Banco |
| pe.com.bancomercio.mobilebanking | Banco de Comercio |
| com.bm_gnb_pe | Banca Móvil Banco GNB Perú |
| com.whatsapp | WhatsApp Messenger |
| com.ripley.banco.peru | Banco Ripley Perú |
| com.zoluxiones.officebanking | Banco Santander Perú S.A. |
| com.cmac.cajamovilaqp | Caja Arequipa Móvil |
| pe.com.cajametropolitana.homebankingcml.cmlhomebanking | Banca móvil CML |
| com.pe.cajacusco.movil | Wayki App |
| com.caja.myapplication | Caja del Santa |
| com.cajamaynas.cajamaynas | Caja Maynas |
| com.cajatacna.droid | Caja Tacna App |
| com.appcajatrujillo | Caja Trujillo Móvil |
| pe.com.tarjetacencosud.canales.mitarjetacencosud | Mi Tarjeta Cencosud |
| pe.com.cajacentro | Caja Centro Movil |
| pe.com.prymera.digital.app | Prymera Digital |
| pe.com.compartamos.bancamovil | Compartamos Móvil Perú |
| pe.confianza.bancamovil | App de Financiera Confianza |
| com.credinkamovil.pe | Credinka en Línea |
| pe.com.scotiabank.blpm.android.client.csf | CrediScotia Financiera |
| com.efectivadigital.appclientes | Efectiva Tu Financiera |
| pe.solera.tarjetaoh | Tarjeta oh! |
| com.qapaq.banking | Qapaq |
| com.google.android.gm | Gmail |
Conclusion
According to our research, Zanubis uses a similar overlay-based attack as we have observed in other banking trojan families to steal the credentials of the targeted application.
The malware is still under development as some mentioned commands are not yet implemented, and the overlay URLs for a few targeted applications are missing. In the coming days, we may see a new variant of this malware with new TTPs and targets.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1432 | Access Contacts List |
| Collection | T1517 | Access Notifications |
| Collection | T1533 | Data from Local System |
| Exfiltration | T1437 | Standard Application Layer Protocol |
| Collection | T1436 | Commonly used port |
| Input capture | T1417 | Input capture |
Indicators Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 0198b8fa11bf9e8442defa00befa2ab224ada5ebb4a60256f2bf5fc491cca0a1 | SHA256 | Hash of the analyzed APK file |
| 93be818f6087423909594f5630b67cf0ddcf71b6 | SHA1 | Hash of the analyzed APK file |
| 0b3248698651c68aa79c128c26df6f5c | MD5 | Hash of the analyzed APK file |
| 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57 | SHA256 | Hash of the analyzed APK file |
| 2128c991887a80152ca36689be503eaa6afc1b1f | SHA1 | Hash of the analyzed APK file |
| 8f78df9b128eb2b0fb576269bba6a9fb | MD5 | Hash of the analyzed APK file |
| 95242e1d105de9c33b2c9d8a9514f58327ca32d7d24af9af19ff3f0d075ea451 | SHA256 | Hash of the analyzed APK file |
| 74c03b47d0449e08ef9e645e79aaada5e0aedc9d | SHA1 | Hash of the analyzed APK file |
| e7495ddd6f4e5c686c2ee68b3db91f9b | MD5 | Hash of the analyzed APK file |
| hxxp://92.38.132[.]217:8000 | URL | C&C server |
Overlay-Based Banking Trojan Targets Peruvian Banks And Social Media Applications
Cyble Research and Intelligence Labs (CRIL) has been tracking the activities of various Android Banking Trojans such as Hydra, Ermac, and Amextroll, amongst several others. During a routine threat-hunting exercise, we came across a Twitter post where a researcher mentioned a malware sample. After an in-depth analysis, the malware was identified as a new Android Banking Trojan variant targeting over 40 applications from Peru.
The Threat Actor (TA) uses the string “Zanubis” as a key to decrypt responses received from the Command and Control (C&C) server. Hence, we will refer to this unidentified malware variant as “Zanubis.”
Zanubis malware pretends to be a PDF application to appear legitimate and target banks in Peru, as well as two social media apps, WhatsApp and Gmail, at the time of our analysis.
However, the overlay screen for these social media applications is not implemented by TAs at the moment. Still, we can expect them to do so soon as the app is under development.
Technical Analysis
APK Metadata Information
- App Name: Personal.pdf
- Package Name: com.personal.pdf
- SHA256 Hash: 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57
Figure 2 shows the metadata information of the application.
Manifest Description
The malicious application mentions 30 permissions in the manifest file, out of which the TA exploits 10. The harmful permissions requested by the malware are:
| Permission | Description |
| READ_CONTACTS | Access phone contacts |
| RECEIVE_SMS | Allows an application to receive SMS messages |
| READ_SMS | Access phone messages |
| CAMERA | Required to access the camera device. |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which the attackers can misuse |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
| CALL_PHONE | Allows an application to initiate a phone call without going through the Dialer user interface for the user to confirm the call |
| SEND_SMS | Allows an application to send SMS messages |
| SYSTEM_ALERT_WINDOW | Allows an app to create windows on top of all other apps |
Source Code Review
After installation, the malicious application prompts the user to grant the Battery Optimization permission, followed by the Accessibility (a11y) Service. Once the user turns on the Accessibility Service, the malware abuses a11y to prevent uninstallation and the auto-granting of permissions.
When the Accessibility Service is turned on, the malware connects to the C&C server hxxp://92.38.132[.]217:8000 and receives the list of targeted applications with the overlay URLs.
After receiving the targeted application list and overlay URL, the malware decrypts the response and saves the decrypted data into the shared preference file “cc638784cf213986ec75983a4aa08cda.xml,” as shown in the below image.
The malware further sends the list of installed applications, contact list, SMS permission status, and basic device information to the C&C server to identify the targeted application to carry out an overlay attack.
The code shown in the below figure is executed after receiving the command config_packages from the C&C server. The malware decrypts the list of targeted applications, verifies the package name with the installed application package name, and sends it to the C&C server with the tag “tagets_find.”
Whenever the user tries to interact with the targeted application, the onAccessibilityEvent() method checks the package name of the currently running app with the list of targeted applications present in the shared preference file. It then fetches the overlay URL and creates an overlay window over the targeted application, as shown in the below image.
The SocketCon class is responsible for connecting to the C&C server, receiving commands, and executing operations. The commands used by the malware are:
| Command | Description |
| config_packages | Receives the list of the targeted application |
| eliminar_app | Receives the Boolean number to perform an action on setting or package installer app |
| desinstalar_app | Receives the target application package name to uninstall |
| bloquear_telefono | Receives Boolean value to lock device |
| pedir_toke | Not Implemented |
| notificacion | Receives the notification and displays on the victim’s device |
| enviar_sms | Sends the SMS from an infected device |
| permiso_contactos | Receives the Boolean value to prompt the user to grant contact permission |
| rev_permiso_sms | Allowing the user to change the default SMS application |
| permiso_sms | Setting malicious applications as the default SMS application |
| desbloquear_package | Receives the application package name to remove the target application from the shared preference list |
The malware receives the command “enviar_sms” from the C&C server with a mobile number and a message body to send an SMS from an infected device. The TA can leverage this technique to spread the malware to infect more devices.
Below is the list of applications targeted by the malware:
| Package name | Application name |
| pe.com.interbank.mobilebanking | Interbank APP |
| pe.com.scotiabank.blpm.android.client | Scotiabank Perú |
| pe.com.bn.app.bancodelanacion | Banco de la Nación |
| com.mibanco.bancamovil | Mibanco |
| pe.com.banBifBanking.icBanking.androidUI | BanBif App |
| com.bbva.nxt_peru | BBVA Perú |
| com.bcp.innovacxion.yapeapp | Yape |
| per.bf.desa | Banco Falabella Perú |
| com.pe.cajasullana.cajamovil | Móvil Caja Sullana |
| com.bcp.bank.bcp | Banca Móvil BCP |
| pe.pichincha.bm | APP Banco Pichincha Perú |
| com.cajahuancayo.cajahuancayo.appcajahuancayo | CAJA HUANCAYO |
| pe.cajapiura.bancamovil | Caja Piura App |
| com.cmacica.prd | Caja Ica App |
| pe.interbank.bie | Interbank Empresas |
| pe.com.scotiabank.businessbanking | Scotiabank Empresas, Perú |
| com.bcp.bank.tlc | Telecrédito Móvil BCP |
| com.alfinbanco.appclientes | Alfin Banco |
| pe.com.bancomercio.mobilebanking | Banco de Comercio |
| com.bm_gnb_pe | Banca Móvil Banco GNB Perú |
| com.whatsapp | WhatsApp Messenger |
| com.ripley.banco.peru | Banco Ripley Perú |
| com.zoluxiones.officebanking | Banco Santander Perú S.A. |
| com.cmac.cajamovilaqp | Caja Arequipa Móvil |
| pe.com.cajametropolitana.homebankingcml.cmlhomebanking | Banca móvil CML |
| com.pe.cajacusco.movil | Wayki App |
| com.caja.myapplication | Caja del Santa |
| com.cajamaynas.cajamaynas | Caja Maynas |
| com.cajatacna.droid | Caja Tacna App |
| com.appcajatrujillo | Caja Trujillo Móvil |
| pe.com.tarjetacencosud.canales.mitarjetacencosud | Mi Tarjeta Cencosud |
| pe.com.cajacentro | Caja Centro Movil |
| pe.com.prymera.digital.app | Prymera Digital |
| pe.com.compartamos.bancamovil | Compartamos Móvil Perú |
| pe.confianza.bancamovil | App de Financiera Confianza |
| com.credinkamovil.pe | Credinka en Línea |
| pe.com.scotiabank.blpm.android.client.csf | CrediScotia Financiera |
| com.efectivadigital.appclientes | Efectiva Tu Financiera |
| pe.solera.tarjetaoh | Tarjeta oh! |
| com.qapaq.banking | Qapaq |
| com.google.android.gm | Gmail |
Conclusion
According to our research, Zanubis uses a similar overlay-based attack as we have observed in other banking trojan families to steal the credentials of the targeted application.
The malware is still under development as some mentioned commands are not yet implemented, and the overlay URLs for a few targeted applications are missing. In the coming days, we may see a new variant of this malware with new TTPs and targets.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
How to prevent malware infection?
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | Deliver Malicious App via Other Mean. |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Collection | T1412 | Capture SMS Messages |
| Collection | T1432 | Access Contacts List |
| Collection | T1517 | Access Notifications |
| Collection | T1533 | Data from Local System |
| Exfiltration | T1437 | Standard Application Layer Protocol |
| Collection | T1436 | Commonly used port |
| Input capture | T1417 | Input capture |
Indicators Of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 0198b8fa11bf9e8442defa00befa2ab224ada5ebb4a60256f2bf5fc491cca0a1 | SHA256 | Hash of the analyzed APK file |
| 93be818f6087423909594f5630b67cf0ddcf71b6 | SHA1 | Hash of the analyzed APK file |
| 0b3248698651c68aa79c128c26df6f5c | MD5 | Hash of the analyzed APK file |
| 33adbff1a79da4a3fde49cececac5a6b99bf217be0c6db6cdf85a46bf2087e57 | SHA256 | Hash of the analyzed APK file |
| 2128c991887a80152ca36689be503eaa6afc1b1f | SHA1 | Hash of the analyzed APK file |
| 8f78df9b128eb2b0fb576269bba6a9fb | MD5 | Hash of the analyzed APK file |
| 95242e1d105de9c33b2c9d8a9514f58327ca32d7d24af9af19ff3f0d075ea451 | SHA256 | Hash of the analyzed APK file |
| 74c03b47d0449e08ef9e645e79aaada5e0aedc9d | SHA1 | Hash of the analyzed APK file |
| e7495ddd6f4e5c686c2ee68b3db91f9b | MD5 | Hash of the analyzed APK file |
| hxxp://92.38.132[.]217:8000 | URL | C&C server |
Source: https://blog.cyble.com/2022/09/02/zanubis-new-android-banking-trojan/
Recommended Posts
Cyber Threat Alert: Surge in Attacks via Compromised Third-Party Service Providers
08 Feb 2024 - Articles, English articles, Security Advisories & Alerts
Subscribe here
MEMBER OF:
