Legit Android apps poisoned by sticky 'Zombinder' malware

Threat researchers person discovered an obfuscation level that attaches malware to morganatic Android applications to lure users to instal nan malicious payload and make it difficult for information devices to detect.

Analysts pinch cybersecurity vendor ThreatFabric recovered nan platform, named "Zombinder," connected nan darknet while investigating a run that targeted some Android and Windows users pinch different types of malware.

Zombinder came to ray while nan researchers were analyzing a run involving nan Ermac Android banking trojan. That effort yielded grounds of different run utilizing aggregate trojans aimed astatine some Android and Windows systems. Along pinch Ermac, it was distributing desktop malware including Erbium, Aurora stealer, and Laplas clipper.

"While investigating Ermac's activity, our researchers spotted an absorbing run masquerading arsenic applications for Wi-Fi authorization," nan researchers write. "It was distributed done a clone one-page website containing only 2 buttons."

It was distributed done a clone one-page website containing only 2 buttons

The buttons offered downloads for either Windows aliases Android. Clicking nan second downloaded Ermac, which tin bargain Gmail messages, two-factor authentication codes, and seed phrases from cryptocurrency wallets. It's besides a keylogger.

"However, different item drew our attention: immoderate of nan downloaded apps were not straight Ermac, but a 'legitimate' app that, during its normal operation, installed Ermac arsenic payload targeting aggregate banking applications," nan researchers say.

These apps fundamentally were modified versions of morganatic apps, from a shot streaming work to a Wi-Fi authenticator tool. The malware packages bound to them besides carried nan aforesaid sanction arsenic nan morganatic apps.

The researchers discovered that nan cybercriminals were utilizing a third-party work – Zombinder – that provided nan "glue" to hindrance nan malware dropper capabilities to nan morganatic app. Once downloaded, nan app – now tied to nan malware – operated arsenic expected until an update connection appeared.

"At this point, if accepted by nan victim, nan seemingly morganatic exertion will instal this update, which is thing other than Ermac," they write. "Such process is achieved by 'glueing' [an] obfuscated malicious payload to a morganatic app pinch insignificant updates made to original root codification to see installation and loading of nan malicious payload."

The APK binding work has been disposable since March and is being often utilized by different attacks, nan researchers write. It's provided by what they opportunity is "an character well-known successful nan threat landscape."

An advertisement for Zombinder connected a darknet forum explains "binding is needed to instal your bot via making a imaginable unfortunate consciousness much safe and spot nan morganatic package successful which your android bot will beryllium embedded."

• Google warns stolen Android keys utilized to motion info-stealing malware
• Oh, look: More malware successful nan Google Play store
• Google pulls malware-infected apps successful its Store, complete 3 cardinal users astatine risk
• Android has its caput successful nan soil pinch AbstractEmu malware rooting phones

The astir caller run utilizing Zombinder distributed nan Xenomorph banking trojan glued to nan exertion from a media downloading company, pinch nan unfortunate lured done malicious ads. Zombinder drops and launches Xenomorph moreover arsenic nan morganatic app is operating usually for nan unsuspecting victim.

Also unsocial to nan run was nan summation of nan "Download for Windows" fastener connected nan clone Wi-Fi authorization tract that distributed Ermac. It's communal for cybercriminals targeting mobile devices to usage aggregate trojans to target a number of platforms, but this 1 besides targeted Windows desktop applications, distributing Ermac pinch different malware.

The Erbium trojan is utilized against Windows users, stealing information including saved passwords, in installments paper details, browser cookies, and crypto wallets. Erbium was utilized during nan run to bargain accusation from much than 1,300 victims, among thousands of group attacked during nan wide campaign.

Another portion of malware downloaded to nan aforesaid instrumentality was nan Laplas clipper, a comparatively caller threat that lets cybercriminals substitute nan copied crypto wallet reside of nan recipient of a transportation pinch 1 controlled by nan attackers. Also distributed done nan malicious tract was Aurora, a Windows stealer written successful nan Golang language.

"The notable point astir this peculiar [Aurora] build is its size: much than 300 MB," nan researchers write. "This is astir apt a maneuver to flooded discovery by antivirus engines, arsenic astir of nan information is conscionable an 'overlay' filled pinch zero bytes. At nan aforesaid clip nan existent payload is encrypted and unpacked during nan execution of nan application."

The usage of truthful galore different trojans could bespeak that nan malicious Wi-Fi authorization page is utilized by aggregate crooks who get it done a third-party distribution service, nan researchers believe. The operation of malware improvement and distribution and aggregate strategies for utilizing it is an denotation of nan increasing sophistication of cyber-threats.

In addition, by targeting aggregate platforms, threat groups tin scope a wider number of victims and bargain much information, which past tin beryllium utilized successful early campaigns.

Zombinder is nan latest reminder of nan dangers of third-party app and APK download sites, Chris Hauk, user privateness champion astatine Pixel Privacy.

"Malware arsenic a work is simply a increasing problem, allowing immoderate bad actors to origin havoc pinch small to nary programming skills," Hauk told The Register. "This is why users should ne'er instal apps from extracurricular of nan Google Play Store. ®