Security Researchers Discover A Darknet Service That Can Turn Legit Android Apps Into Trojans
In the course of investigating an Android banking Trojan known as “Ermac,” cybersecurity researchers at ThreatFabric recently discovered a service that takes legitimate apps and turns them into Trojans. The researchers have named this service “Zombinder,” as it binds a malware dropper to legitimate apps, effectively turning them into zombie apps that appear largely the same but exist to infect Android devices with malware. According to ThreatFabric, a well-known threat actor offers this service on the dark web, advertising it on various hacking and cybercriminal forums. Zombinder poses a significant threat to Android users, as it enables threat actors with no experience developing Android malware to easily acquire customized Trojan apps.
ThreatFabric came across this service while looking into a campaign distributing Android malware through fake Wi-Fi authorization apps. The researchers’ analyses of these Trojan apps revealed some of them to be legitimate apps modified to contain obfuscated malicious code. This obfuscation prevents Google Play Protect and third-party anti-virus applications from detecting the presence of a malware dropper that downloads and installs the Ermac Trojan.
ThreatFabric came across this service while looking into a campaign distributing Android malware through fake Wi-Fi authorization apps. The researchers’ analyses of these Trojan apps revealed some of them to be legitimate apps modified to contain obfuscated malicious code. This obfuscation prevents Google Play Protect and third-party anti-virus applications from detecting the presence of a malware dropper that downloads and installs the Ermac Trojan.
The ThreatFabric researchers then ascertained that these modified apps were the product of a service they call Zombinder. First announced in March 2022, Zombinder is a malware binding service used frequently by different threat actors. These actors submit various legitimate applications to the service and receive zombified version in turn. These zombie apps appear to anti-virus services as identical to their legitimate counterparts, owing to their identical package names and the obfuscation of the malicious code added by Zombinder.
However, once installed, the zombie apps prompt users to install fake plugin apps, falsely presenting the plugin apps as required dependencies. In reality, these fake plugin apps contain malware that abuses Android permissions to steal login credentials from a wide variety of financial applications. Android users should be scrutinizing when downloading and installing even familiar applications, as services like Zombinder mean that threat actors of any experience level can turn legitimate apps into zombified version containing malware.
However, once installed, the zombie apps prompt users to install fake plugin apps, falsely presenting the plugin apps as required dependencies. In reality, these fake plugin apps contain malware that abuses Android permissions to steal login credentials from a wide variety of financial applications. Android users should be scrutinizing when downloading and installing even familiar applications, as services like Zombinder mean that threat actors of any experience level can turn legitimate apps into zombified version containing malware.
