Zanubis is an Android banking trojan that specifically targets financial and cryptocurrency users in Peru [2] [4] [8]. It aims to obtain online banking credentials and gain unauthorized access to funds [3].


Zanubis disguises itself as legitimate Android apps and tricks users into granting Accessibility permissions [5], giving the malware full control over the device [1]. It has been observed posing as the official app for the Peruvian governmental organization SUNAT [2] [5], as well as the Peruvian customs and tax agency [1] [6], indicating an increase in sophistication [4] [7] [8].

Once installed, Zanubis uses the Obfuscapk obfuscator for Android APK files [2] [5], making it difficult to detect. It creates the illusion of legitimacy by loading the genuine SUNAT website using WebView [5]. The trojan maintains communication with its controlling server through WebSockets and Socket.IO [5], ensuring connectivity even in adverse conditions [5].

Zanubis has the ability to disable a device by masquerading as an Android update and can also be remotely programmed to steal data when specific apps are in use. It can establish a second connection [5], potentially granting complete control over a compromised device [5].

Additionally, Zanubis logs keystrokes and records the screen when targeted apps are launched [6]. It also monitors attempts to lock or unlock the phone and blocks them [1] [6], rendering the device unusable [1] [6] [9].


Zanubis poses a significant threat to financial and cryptocurrency users in Peru. Its ability to disguise itself as legitimate apps and gain full control over devices makes it challenging to detect and mitigate. The trojan’s increasing sophistication and use of obfuscation techniques highlight the need for improved security measures. Financial institutions and users should remain vigilant and implement strong security practices to protect against this evolving threat.