Researchers have discovered a program that links malware to legitimate Android apps.

As reported by The Register (opens in a new tab), analysts at cybersecurity firm ThreatFabric discovered the "Zombinder" service while investigating another malware propagation campaign using the ERMAC banking Trojan, a piece of malware on the as TechRadar Pro previously reported.

In their report (opens in a new tab), the researchers said that “while investigating ERMAC activity, our researchers detected an interesting campaign posing as Wi-Fi permission requests. It was distributed via a fake one-page website that contained only two buttons."

ERMAC and dropper

These buttons served as download links for Android versions of "dummy" apps developed by ERMAC, which are useless to the end user but are designed to log keystrokes as well as steal two-factor authentication (2FA).) bitcoin wallet codes, email ids, and seed phrases, among others.

However, while some of the malicious apps available on the platform are likely the responsibility of ERMAC lead developer DukeEugene, the team also discovered that some of the apps were disguised as legitimate instances of the Instagram app, as well as other apps that have listings in the Google Play store.

As is often the case with malware campaigns, threat actors use a "dropper" obtained from the dark web so that their applications can evade detection, in this case Zombinder. Droppers install what is functionally a clean version of the app, but then present users with an update that then contains the malware.

This is a smart delivery system, especially with apps claiming to be from common, "trusted" vendors like Meta, as users are more likely to install an update from app developers than they acknowledge.

This particular dropper service was announced in March 2022, and according to ThreatFabric, it has already become popular among various threat actors.

Dropper attacks are possible largely due to the "open" nature of Android, which allows users to "upload" apps obtained from repositories other than the Google Play Store, and even the app developers themselves.

While this open ecosystem benefits security-conscious users, users who only see it as a way to hack apps that normally cost money, for example, can become easy choices for banking Trojan attackers, which are then free. to steal data. , credentials and even money from innocent users.

Share This