Zombinder is a new obfuscation service and criminal platform that allows threat actors to bind malware to legitimate Android applications. The service is cross-platform and targets both Windows and Android users.
The platform was discovered by ThreatFabric researchers while analyzing the activity of the Ermac trojan. The first Ermac campaigns were most likely initiated in late August 2021. The attacks have now expanded, including numerous apps such as banking, media players, government apps, antivirus solutions.
This is not the only trojan that was used in this campaign. The threat actors also used Erbium, Aurora stealer, and Laplas clipper to infect victims with desktop malware, resulting in thousands of victims. Erbium stealer alone successfully exfiltrated data from at least 1300 victims, the researchers said.
How Does the Zombinder Platform Work?
In order to fool potential victims, Zombinder impersonates applications for Wi-Fi authorization, distributed through a fake one-page website containing only two buttons.
The “Download for Android” button leads to downloading samples of Ermac, which the researchers classified as Ermac.C. The malware has the following capabilities:
- Overlay attack to steal PII
- Keylogging
- Stealing e-mails from Gmail application
- Stealing 2FA codes
- Stealing seed phrases from several cryptocurrency wallets
The campaign is initiated with the said Wi-Fi authorization app which is in fact malware.
Some of the downloaded apps were not directly Ermac, but a “legitimate” app that, during its normal operation, installed Ermac as payload targeting multiple banking applications, the report added. These apps were masqueraded as modified versions of Instagram, WiFi Auto Authenticator, Football Live Streaming.
It is noteworthy that the apps worked normally as their original functionality wasn’t removed. The threat actors just added the malware specific malware loader to the app’s code. To avoid detection, the loader itself has also undergone obfuscation. Upon launching the app, the loader displays a prompt to the potential victim to install a plugin, which then installs the malicious payload and launches it in the background.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: