ThreatFabric’s researchers found ‘Zombinder’, a third-party darknet service that was used to bind malware payloads to legitimate Android applications.
In order to deceive users into installing a malicious payload, it is used to bind a malicious payload to a legitimate application.
“While analyzing the activity of the Android banking Trojan Ermac, ThreatFabric’s analysts discovered a campaign employing several Trojans, and targeting both Android and Windows users at the same time, in order to reach as many victims as possible”, according to ThreatFabric’s researchers.
Analysts identified an interesting campaign disguising itself as Wi-Fi authorization applications when looking into Ermac’s behavior. It was advertised on a fake, one-page website with just two buttons.
The website then offers a user the option of downloading either the Windows or Adware version of the application, which is actually malware.
It was capable of performing keylogging, overlay attacks, stealing emails from Gmail, intercepting 2FA codes, and stealing crypto wallet seed phrases.
“The actor used a third-party service provided on the darknet to “glue”, or bind, dropper capabilities to a legitimate application. After downloading the bound application, it will act as usual unless it shows a message stating that the app needs to be updated”, says the researchers.
If the victim accepts the update, Ermac will be installed even though the application appears to be legitimate.
New ‘Zombinder’ Platform
According to ThreatFabric, Zombinder, which first appeared in March 2022 as a malware packer for APK files, is currently becoming more and more well-known among