Android apps are being “poisoned” by this awful malware
Researchers have discovered a program that is binding malware to use legitimate Android applications.
As reported by The Register (opens in new tab)analysts from cybersecurity firm ThreatFabric learned about the “Zombinder” service while investigating another malware distribution campaign involving the ERMAC banking trojan, malware that TechRadar Pro have before reported on.
In their report (opens in new tab)the researchers said “while investigating ERMAC’s activity, our researchers spotted an interesting campaign masquerading as applications for Wi-Fi authorization. It was distributed through a fake one-page website containing only two buttons.”
ERMAC and Droppers
These buttons acted as download links for Android versions of ERMAC-developed “dummy” apps, which are useless to the end user but designed to record keystrokes as well as steal two-factor authentication (2FA) codes, email credentials and bitcoin wallet seed phrases, among others.
While some of the malicious apps available from the platform are likely the responsibility of core ERMAC developer DukeEugene, the team also found that some of the apps were disguised as legitimate instances of the Instagram app, as well as other apps which has lists on it. the Google Play Store.
As is often the case with malware campaigns, a “dropper” obtained from the dark web is used by the threat actors so that their applications can evade detection, in this case, Zombinder. Droppers install what is functionally a clean version of the app, but then offer users an update that then contains the malware.
It’s a smart delivery system, especially with apps pretending to come from common, “trusted” providers like Meta, as users are more likely to install an update from app developers they recognize.
This particular dropper service was announced in March 2022 and, according to ThreatFabric, has already gained popularity among a number of threat actors.
“Dropper” attacks are made possible largely due to the “open” nature of Android which allows users to “sideload” apps obtained from repositories other than the Google Play Store, and even from app developers themselves.
While this open ecosystem benefits security-conscious users, users who see it simply as a way to use apps that normally cost money can become easy pickings for threat actors armed with banking trojans, who are then free to steal data, credentials, and even money from innocents. users.
