ThreatFabric’s security researchers have reported a new dark web platform through which cybercriminals can easily add malware to legitimate Android applications.
Dubbed Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of Windows and Android malware, including Android banking malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc.
This comes just days after a new dark web marketplace called InTheBox surfaced online, serving smartphone malware developers and operators.
Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as an app programming interface binding service launched in March 2022.
According to ThreatFabric’s blog post, numerous different threat actors are using this service and advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app.
The campaign is designed to appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains.
What does Zombinder Do?
In the campaign detected by ThreatFabric’s researchers, the service is distributing the Xenomorph banking malware disguised as the VidMate app. It is distributed via modified apps advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads.
The Zombinder-infected app works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection.
At the moment, Zombinder is focusing entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded the infected Windows app were delivered the Erbium stealer as well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data.
It is worth noting that two downloaded buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the Ermac malware.
How to Stay Protected?
If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources onto your Android mobile phone and rely on legitimate sources such as Google Play Store, Amazon Appstore, or Samsung Galaxy Store. Always check the app’s rating, and reviews, and check out the app developers’ website before installing a new app.