Android users now have another cyber security worry to add to the growing pile. According to a report published by Threat Fabric, a malware-as-a-service platform advertised on the Darknet can bind malware to legitimate Android apps. This effectively results in victims infecting themselves and evading any suspicion the infection may cause. The platform dubbed “Zombinder” was discovered been spread via malicious Windows and Android campaigns.
Campaigns to spread the malware were done through impersonating Wi-Fi authorization portals, typically used to help users connect to public Wi-Fi hotspots.
In the attack, campaign impersonation portals were used to deliver various malware families including Ermac, an Android-based banking trojan, previously seen infecting thousands of Android devices in a campaign late last year. Other malware payloads dropped on devices include Erbium, Aurora stealer, and Laplas Clipper.
The malware payloads are dropped once the user is prompted to download either a Windows or Android version of the application, supposedly to facilitate the connection to the Wi-Fi hotspot, but like with so many campaigns that have gone before the user, now victim, downloads and installs malware.
Threat Fabric noted that the just Erbium had been dropped on at least 1,300 devices, since the start of this campaign. Researchers also noted that one of the more interesting aspects of the campaign was the use of what is termed a binder that attaches malware to legitimate applications. Researchers stated,
“In fact, the actor used a third-party service provided on darknet to “glue”, or bind, dropper capabilities to a legitimate application. After downloading the bound application, it will act as usual unless it shows a message stating that the app needs to be updated. At this point, if accepted by the victim, the seemingly legitimate application will install this update, which is nothing else than Ermac. The whole process from installing the application to Ermac running on the device can be seen on the following picture.”
This binder is the aforementioned Zombinder and acts like a “zombie” that installs the desired malware payload according to researchers.
It appears from the research conducted that Zombinder was released to the cybercrime underground in March 2022 and has steadily garnered interest and adoption from hackers.
The latest campaign analyzed by researchers involving Zombinder was distributing Xenomorph banking trojan under the guise of the VidMate application.
Just as with the abovementioned campaign, the binder modified a legitimate application and was downloaded from a malicious website mimicking the original website of the application. Victims tend to land on malicious webpage through malicious traffic links.
What makes Zombinder a threat to Android users is that the legitimate app still operates as expected, as it is for all purposes still the legitimate app but now has several malware payloads “glued” to it.
The loader component of Zombinder is obfuscated to help malware further evade detection. If Zombinder is downloaded on an Android device the legitimate app will ask the victim to install a plugin.
If the prompt is accepted, the loader will install a malicious payload and launch it in the background. Researchers have seen a football streaming app used in this way to drop several malware payloads.
Not Just a Threat to Android Users
As alluded to above Threat Fabric researchers also saw the campaign was targeting Windows users, with researchers stating,
“However, this campaign has another unique characteristic that we had not observed before and that attracted our attention: the presence of a “Download for Windows” button on the malicious website distributing Ermac. It is common on the mobile threat landscape to utilize multiple Trojans targeting different platforms in one distribution campaign. In this specific case, the actor seems to target Android and Windows platforms in order to expand his/her reach as much as possible. But there is also an option that this is the same landing shared by different actors distributing Android and Windows Trojans. Nevertheless, our team dived into the desktop malware that was distributed along with Ermac.”
One of the trojans dropped onto Windows victim’s machines is the Erbium password stealer. The malware is capable saved passwords, credit card details, cookies from various browsers, and “cold” (offline) cryptocurrency wallet data both from desktop applications and browser extensions and has also become popular on underground hacking forums. Other malware strains dropped include Aurora and Laplas.
Aurora is also a stealer and is unique due to its build size of over 300MB. Researchers suspect this is done to bypass anti-virus detection engines as most of the data is just an “overlay” filled with zero bytes.
At the same time, the actual payload is encrypted and unpacked during the execution of the application. Laplas can substitute a cryptocurrency wallet address copied by the victim with one controlled by an actor.
Given the types of malware dropped on Windows devices after installation of the loader it is clear that threat actors are looking to make a quick buck, as many financially motivated cyber criminals are inclined to do. Considering there’s overlap in the capabilities of these malware strains, the threat actors likely experiment with various tools to see what works best for them.
Commodity malware has become so easily accessible that threat actors can quickly interchange their tools and extend their portfolios just by investing more.
ThreatFabric notes that the wide variety of trojans delivered by the same landing pages might indicate that a single third-party malware distribution service serves multiple threat actors.