Researchers have discovered a program that’s binding malware to legitimate Android applications.
As reported by The Register (opens in new tab), analysts for cybersecurity firm ThreatFabric learned of the “Zombinder” service while investigating another malware spread campaign using the ERMAC banking trojan, malware that TechRadar Pro has previously reported on.
In their report (opens in new tab), the researchers said “while investigating ERMAC’s activity, our researchers spotted an interesting campaign masquerading as applications for Wi-Fi authorization. It was distributed through a fake one-page website containing only two buttons.”
ERMAC and Droppers
These buttons acted as download links for Android versions of ERMAC-developed “dummy” applications, which are useless to the end user but are designed to log keystrokes, as well as steal two-factor authentication (2FA) codes, email credentials and bitcoin wallet seed phrases, amongst other things.
However, while some of the malicious apps available from the platform are likely the responsibility of core ERMAC developer DukeEugene, the team also found that some of the apps were disguised as legitimate instances of the Instagram app, as well as other applications that have listings on the Google Play Store.
As is often the case with malware campaigns, a “dropper” obtained from the dark web is being used by the threat actors so their apps can evade detection, in this case, Zombinder. Droppers install what is functionally a clean version of the app, but then present users with an update that then contains the malware.
This is a clever delivery system as, particularly with apps that purport to be from common, “trusted” vendors like Meta, as users are more likely to install an update from app developers they recognise.
This particular dropper service was announced in March 2022 and, according to ThreatFabric, has already become popular with a number of threat actors.
“Dropper” attacks are largely made possible because of the “open” nature of Android allowing users to “sideload” apps obtained from repositories other than the Google Play Store, and even from app developers themselves.
While this open ecosystem benefits security-conscious users, users seeing it purely as a means of pirating applications that usually cost money, for instance, can become easy pickings for threat actors armed with banking trojans, who are then free to steal data, credentials and even money from innocent users.