Zombinder Seen Binding to Legitimate Android Apps

Android users now have another cyber security worry to add to the growing pile. According to a report published by Threat Fabric, a malware-as-a-service platform advertised on the Darknet can bind malware to legitimate Android apps. This effectively results in victims infecting themselves and evading any suspicion the infection may cause. The platform dubbed “Zombinder” was discovered been spread via malicious Windows and Android campaigns.

Campaigns to spread the malware were done through impersonating Wi-Fi authorization portals, typically used to help users connect to public Wi-Fi hotspots.

zombinder android malware

In the attack, campaign impersonation portals were used to deliver various malware families including Ermac, an Android-based banking trojan, previously seen infecting thousands of Android devices in a campaign late last year. Other malware payloads dropped on devices include Erbium, Aurora stealer, and Laplas Clipper.

The malware payloads are dropped once the user is prompted to download either a Windows or Android version of the application, supposedly to facilitate the connection to the Wi-Fi hotspot, but like with so many campaigns that have gone before the user, now victim, downloads and installs malware.

Threat Fabric noted that the just Erbium had been dropped on at least 1,300 devices, since the start of this campaign. Researchers also noted that one of the more interesting aspects of the campaign was the use of what is termed a binder that attaches malware to legitimate applications. Researchers stated,

“In fact, the actor used a third-party service provided on darknet to “glue”, or bind, dropper capabilities to a legitimate application. After downloading the bound application, it will act as usual unless it shows a message stating that the app needs to be updated. At this point, if accepted by the victim, the seemingly legitimate application will install this update, which is nothing else than Ermac. The whole process from installing the application to Ermac running on the device can be seen on the following picture.”

This binder is the aforementioned Zombinder and acts like a “zombie” that installs the desired malware payload according to researchers.

It appears from the research conducted that Zombinder was released to the cybercrime underground in March 2022 and has steadily garnered interest and adoption from hackers.

The latest campaign analyzed by researchers involving Zombinder was distributing Xenomorph banking trojan under the guise of the VidMate application.

Just as with the abovementioned campaign, the binder modified a legitimate application and was downloaded from a malicious website mimicking the original website of the application. Victims tend to land on malicious webpage through malicious traffic links.

What makes Zombinder a threat to Android users is that the legitimate app still operates as expected, as it is for all purposes still the legitimate app but now has several malware payloads “glued” to it.

The loader component of Zombinder is obfuscated to help malware further evade detection. If Zombinder is downloaded on an Android device the legitimate app will ask the victim to install a plugin.

If the prompt is accepted, the loader will install a malicious payload and launch it in the background. Researchers have seen a football streaming app used in this way to drop several malware payloads.

Not Just a Threat to Android Users

As alluded to above Threat Fabric researchers also saw the campaign was targeting Windows users, with researchers stating,

“However, this campaign has another unique characteristic that we had not observed before and that attracted our attention: the presence of a “Download for Windows” button on the malicious website distributing Ermac. It is common on the mobile threat landscape to utilize multiple Trojans targeting different platforms in one distribution campaign. In this specific case, the actor seems to target Android and Windows platforms in order to expand his/her reach as much as possible. But there is also an option that this is the same landing shared by different actors distributing Android and Windows Trojans. Nevertheless, our team dived into the desktop malware that was distributed along with Ermac.”

One of the trojans dropped onto Windows victim’s machines is the Erbium password stealer. The malware is capable saved passwords, credit card details, cookies from various browsers, and “cold” (offline) cryptocurrency wallet data both from desktop applications and browser extensions and has also become popular on underground hacking forums. Other malware strains dropped include Aurora and Laplas.

Aurora is also a stealer and is unique due to its build size of over 300MB. Researchers suspect this is done to bypass anti-virus detection engines as most of the data is just an “overlay” filled with zero bytes.

At the same time, the actual payload is encrypted and unpacked during the execution of the application. Laplas can substitute a cryptocurrency wallet address copied by the victim with one controlled by an actor.

Given the types of malware dropped on Windows devices after installation of the loader it is clear that threat actors are looking to make a quick buck, as many financially motivated cyber criminals are inclined to do. Considering there’s overlap in the capabilities of these malware strains, the threat actors likely experiment with various tools to see what works best for them.

Commodity malware has become so easily accessible that threat actors can quickly interchange their tools and extend their portfolios just by investing more.

ThreatFabric notes that the wide variety of trojans delivered by the same landing pages might indicate that a single third-party malware distribution service serves multiple threat actors.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal