Zombinder APK binding service used in multiple malware attacks

Zombinder is a third-party service on darknet used to embed malicious payloads in legitimate Android applications.

While investigating a new malware campaign targeting Android and Windows systems, researchers at Threat Fabric discovered a darknet service, dubbed Zombinder, used to embed malicious payloads in legitimate Android apps.

The campaign involved the Ermac Android banking Trojan along with desktop malware such as Erbium, Aurora stealer, and the Laplas “clipper”.

This campaign infected thousands of systems, experts reported that the Erbium stealer successfully exfiltrates data from more than 1300 victims.

While investigating Ermac’s activity, the experts spotted an interesting campaign masquerading as application for Wi-Fi authorization. The tainted apps were distributed through a bogus website containing a single page with only two buttons. Clicking on the “Download for Android” button leads to downloading the Ermac malware.

The Ermac variant employed in the attack has the following capabilities:

• Overlay attack to steal PII
• Keylogging
• Stealing e-mails from Gmail application
• Stealing 2FA codes
• Stealing seed phrases from several cryptocurrency wallets

Experts also observed threat actors masquerading as malicious apps as browser updates. 

“However, another detail drew our attention: some of the downloaded apps were not directly Ermac, but a “legitimate” app that, during its normal operation, installed Ermac as payload targeting multiple banking applications” reads the analysis published by Threat Fabric. “Such apps disguised as modified version of Instagram, WiFi Auto Authenticator, Football Live Streaming, etc. The package names were also the same as for legitimate applications.”

The experts discovered that the malicious apps were created with the Zombinder APK binding service that is advertised on the dark web since March 2022.

According to the experts, the binding service part of a wider project that is an obfuscation tool that is used by multiple threat actors. 

The latest campaign analyzed by the researchers that involved the Zombinder service was distributing Xenomorph banking trojan masquerading as VidMate application. 

“Modern threat landscape becomes more and more sophisticated where actors combine multiple approaches in malware development, distribution, operation as well as in performing fraud itself involving multiple tactics at the same time.” concludes the report. “New tools appear to make malware less suspicious or more trustworthy for victim which results in more successful fraud cases. Moreover, targeting multiple platforms, actors are able to reach wider “audience” and steal more PII to utilize in further fraud.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Zombinder)

[adrotate banner=”5″]

[adrotate banner=”13″]