An underground platform called Zombinder enables malicious actors to attach malware to legitimate Android applications. This ability could cause victims to infect themselves while not losing any functionality from their original app.
This campaign impersonated the Wi-Fi authorisation portals that supposedly aid users to access internet points as a lure to deploy numerous malware strains. The Wi-fi authorisation website will instruct a targeted user to download an Adware or Windows version of the compromised application.
A researcher reported that the cybercriminal operation had claimed thousands of victims, with Erbium stealer infections having stolen information from nearly 1,300 different devices.
Zombinder is a service where actors could use malicious APK and bind it to Android apps.
According to an analysis, the Zombinder campaign is an underground service which offers compromised APK binding of malware to trustworthy Android applications. The APKs in this campaign comes in many forms. In one instance, analysts have seen a fake live soccer streaming app and a modified version of the social media platform called Instagram.
The application’s functions work exactly like the legitimate app since the service did not remove the software. However, Zombinder attaches a malware loader to the targeted applications.
Zombinder also obfuscates the loader to bypass security solutions. Hence, when a user launches an app, the loader will display instructions to install a plugin. If the user accepts the instruction, the loader will install a malicious payload and deploy it in the background.
The service provider claims that the app bundles created with it are unidentifiable in runtime and can avoid Google Protect alerts or antivirus operating on the infected device.
Furthermore, the campaign launches an Ermac payload for Android, which could perform keylogging, Gmail harvesting, 2FA code interception, overlay attacks, and cryptomining.
For Windows, if the Wi-Fi authorisation website user clicks on the ‘Download for Windows’ option, they will download malware designated for Windows OS.
Cybersecurity experts explained that these services are all dangerous and highly sophisticated malware strains currently in development. Therefore, users should avoid downloading unnecessary applications and avoid third-party sources.
