Zombinder on Dark Web Lets Hackers Add Malware to Legit Apps

ThreatFabric’s security researchers have reported a new dark web platform through which cybercriminals can easily add malware to legitimate Android applications. Dubbed

Zombinder, this platform was detected while investigating a campaign in which scammers were distributing multiple kinds of Windows and Android malware, including Android banking

malware like Ermac, Laplas “clipper,” Erbium, and the Aurora stealer, etc. This comes just days after a new dark web marketplace called InTheBox surfaced online, serving

smartphone malware developers and operators. Further probe helped researchers trace the adversary to a third-party dark web service provider called Zombinder. It was identified as

an app programming interface binding service launched in March 2022. According to ThreatFabric’s blog post, numerous different threat actors are using this service and

advertising it on hacker forums. On one such forum, the service was promoted as a universal binder that binds malware with almost any legitimate app. The campaign is designed to

appear as it helps users access internet points by imitating the WiFi authorization portal. In reality, it pushes several different malware strains. What does Zombinder Do? In the

campaign detected by ThreatFabric’s researchers, the service is distributing the Xenomorph banking malware disguised as the VidMate app. It is distributed via modified apps

advertised/downloaded from a malicious website mimicking the application’s original website. The victim is lured to visit this site via malicious ads. The Zombinder-infected app

works just as it is marketed while the malicious activity carries on in the background and the victim stays unaware of the malware infection. At the moment, Zombinder is focusing

entirely on Android apps but the service operators are offering Windows apps binding services. Those who downloaded the infected Windows app were delivered the Erbium stealer as

well. It is an infamous Windows malware distributed to steal stored passwords, cookies, credit card details, and cryptocurrency wallet data. It is worth noting that two downloaded

buttons on the malicious website’s landing page, one for Windows and the other for Android. when a user clicks on the Download for Windows button, they are delivered malware

designed for Microsoft operating system, including Aurora, Erbium, and Laplas clipper. Conversely, the Download for Android button distributes the Ermac malware. How to Stay

Protected? If you want to stay safe, do not sideload apps even if you are desperate to make a specific product work. Also, avoid installing apps from unauthentic or unknown sources