Jump to content
  • New 'Zombinder' platform binds Android malware with legitimate apps

    alf9872000

    • 452 views
    • 3 minutes
     Share


    • 452 views
    • 3 minutes

    A darknet platform dubbed 'Zombinder' allows threat actors to bind malware to legitimate Android apps, causing victims to infect themselves while still having the full functionality of the original app to evade suspicion.

     

    This new platform was discovered by cybersecurity firm ThreatFabric, which spotted malicious Windows and Android campaigns distributing multiple malware families.

     

    The campaign impersonates Wi-Fi authorization portals, supposedly helping users to access internet points as a lure to push various malware families. The site then prompts a user to download either a Windows or Adware version of the application, which in reality, is malware.

     

    ThreatFabric reports that the operation has claimed thousands of victims, with Erbium stealer infections alone having stolen data from 1,300 different computers.

     

    wifi-site.png
    Landing page distributing malware (ThreatFabric)

    Zombinder for Android

    An interesting aspect of the campaign is the darknet service, which the researchers dubbed “Zombinder,” which offers malicious APK binding of malware to legitimate Android applications.

     

    Zombinder launched in March 2022 as a malware packer on APK files, and according to ThreatFabric, it is now growing popular in the cybercrime community.

     

    The APKs used in this campaign vary, with the analysts reporting seeing a fake live football streaming app and a modified version of the Instagram app.

     

    These apps work as expected because the functionality of the legitimate software is not removed. Instead, Zombinder appends a malware loader to its code.

     

    The loader is obfuscated to evade detection, so when the user launches the app, the loader will display a prompt to install a plugin. If the prompt is accepted, the loader will install a malicious payload and launch it in the background.

     

    streaming-app.png

    Streaming app used in the campaign (ThreatFabric)

     

    The Zombinder service provider claims that the malicious app bundles created with it are undetectable in runtime and can bypass Google Protect alerts or AVs running on the target devices.

     

    zombinder.png

    Zombinder service promotional post (ThreatFabric)

     

    The campaign drops an Ermac payload for Android, capable of performing keylogging, overlay attacks, stealing emails from Gmail, intercepting 2FA codes, and stealing crypto wallet seed phrases.

    Windows malware

    If the Wi-Fi authorization website visitor clicks on the “Download for Windows” button, they download Windows malware instead.

     

    Examples seen by ThreatFabric include the Erbium stealer, the Laplas clipper, and the Aurora info-stealer.

     

    These are all dangerous and highly capable malware strains currently under active development, rented to cybercriminals for a couple hundred USD/month.

     

    Considering there’s overlap in the capabilities of these malware strains, the threat actors likely experiment with various tools to see what works best for them.

     

    Commodity malware has become so easily accessible that threat actors can quickly interchange their tools and extend their portfolios just by investing more.

     

    ThreatFabric says the wide variety of trojans delivered by the same landing pages might indicate that a single third-party malware distribution service serves multiple threat actors.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...