Zombinder malware imitates original apps to steal data
ThreatFabric researchers have discovered the Zombinder service, which allows cybercriminals to easily embed malware into legitimate apps and steal data while also wreaking havoc on the device.
In a bid to push its malware, the campaign impersonates Wi-Fi authorization portals, ostensibly assisting users in accessing internet points. The site then prompts the user to download a Windows or Adware version of the application, which is actually malware.
The attacks involve the use of malware such as ERMAC, Erbium, Aurora, and Laplas to steal personal identifiable information, grab emails from the Gmail app, spy on two-factor authentication codes, and steal seed phrases from various crypto wallets, according to the ThreatFabric report. The researchers also stated that it was distributed via a bogus one-page website with only two buttons.
The buttons provided downloads for Windows or Android. By clicking the latter, Ermac was downloaded, which is capable of stealing Gmail messages, two-factor authentication codes, and seed phrases from cryptocurrency wallets. It also functions as a keylogger. Meanwhile, downloading the ostensibly Windows app causes the Aurora and Erbium stealer malware, as well as the Laplas clipper, to be distributed.
The attack begins with a Wi-Fi authorization app that is actually Ermac with malicious code obfuscation masquerading as a browser update. Although some of the apps were not directly Ermac, they were legitimate apps that installed Ermac as a payload targeting multiple banking applications while running normally.
Apps like this are disguised as modified versions of Instagram, WiFi Auto Authenticator, Football Live Streaming, and so on. The package names were also identical to those used by legitimate applications. The app will function normally after you download it. Then a message will appear saying it needs to be updated. Once the victim accepts the update, the app will install the Ermac malware.
Another campaign employs Zombinder to distribute the Xenomorph banking trojan, which is clipped to an application from a media downloading company, with the victim being lured in via malicious advertisements. Even though the legitimate app is running normally for the unsuspecting victim, Zombinder drops and launches Xenomorph.
The sources for this piece include an article in TheHackerNews.