Researchers have discovered an obfuscation platform named Zombinder on darknet that attaches malware to legitimate Android applications to lure users to install the malicious payload and make it difficult for security tools to detect.
This came into the limelight while the researchers were analyzing a campaign involving the Ermac Android banking trojan. Evidence of another campaign using multiple trojans aimed at both Android and Windows systems was discovered. Along with Ermac, it was distributing desktop malware including Erbium, Aurora stealer, and Laplas clipper.
The buttons offered downloads for either Windows or Android. Clicking the latter downloaded Ermac, which has the capability to steal Gmail messages, two-factor authcodes, and seed phrases from cryptocurrency wallets, keylogger.
These apps are the modified versions of legitimate apps, from a football streaming service to a Wi-Fi authenticator tool. The malware packages bound to them also carried the same name as the legitimate apps.
Threat actors were using a third-party service – Zombinder – that provided the glue to bind the malware dropper capabilities to the legitimate app. Once downloaded, the app will get tied to the malware – operated as expected until an update message appears.
The recent campaign using Zombinder distributed the Xenomorph banking trojan glued to the application from a media downloading company, with the victim lured through malicious ads. Zombinder drops and launches Xenomorph even as the legitimate app is operating normally for the unsuspecting victim.
The uniqueness of the campaign was the addition of the Download for Windows button on the fake Wi-Fi authorization site that distributed Ermac. The Erbium trojan is used against Windows users, stealing data including saved passwords, credit card details, browser cookies, and crypto wallets.
The combination of malware development and distribution and multiple tactics for using it is an indication of the growing sophistication of cyber-threats.
Malware as a service is booming, and Zombinder is the latest reminder of the dangers of third-party app and APK download sites. To thrawt attacks, users have to install only legitimate apps from Google Play store