A darknet platform known as “Zombinder” allows cyber-criminals to compose malicious Android apps that imitate genuine ones, giving victims the opportunity to unintentionally infect themselves.
New tracking systems for computing platforms, observed by cybersecurity company ThreatFabric, caught the eye of malware developers.
The website impersonates WiFi authorization portals, supposedly enabling users to gain access to online locations as part of a trick to lure malware families. Then it prompts someone to either download a Windows or a spyware variant of the trigger, but actually functions as a compromised application.
ThreatFabric reports that an operation has allegedly affected thousands of victims, with Erbium malware infections alone stealing data of over 1,300 computers.
The dark-web service, Zombinder, recognized by the researchers, furnishes engaging APK bindings of malware to approved Android applications.
Zombinder, discovered March 2022, was an application installer for APK files that was utilized by cybercriminals. It was described by this source to be presently popular in the cybercrime community.
A number of apks were included into this campaign, with the analysts spotting a fake sports streaming application and a version of Instagram.
The functionality of these apps does not fall short because the virus loader is appended to the legitimate source code rather than removed. New Zombinder apps are designed in this way.
Confusing its loading screen to evade detection, the malicious dynamic loader prompts a user to install it, then secretly installs a malware payload and starts it when the prompt is clicked.
Zombinder claims that its commercial product or service is able to identify malicious app bundles created with it. Unless masked, the malicious program packages can be detected in runtime and can bypass Google Protect alerts and AV software running on the target devices.
The company will drop an Ermac payload for Android, capable of performing keylogging, overlay attacks, stealing emails in Gmail, intercepting two-factor codes, and stealing cryptocurrency wallet seed phrases.
If the person who clicks on the Download for Windows button is redirected to the website’s mobile enrollment page on the Internet, they download a piece of malware instead.
Examples observed by ThreatFabric include the Erbium thief, the Laplas clipper, and the Aurora info-stealer.
Hackers are currently developing multiple highly dangerous strains of malware that are often rented for only a couple of hundred dollars per month.
Similar to the malware strains, threat actors are likely to experiment with new methods in the search for ones that work best for them.
The accessibility of commodity malware lets threat actors to create new artefacts, which enables them to offer additional services to clients.
ThreatFabric states that the amount of trojans delivered by particular landing pages from one third-party service might mean that certain threats are originating from the same place.
Found this article interesting? Follow Terraeagle on Facebook, Twitter and LinkedIn to read more exclusive content we post.