Zombinder Platform Enables Trojanization of Legitimate Android Apps

Security experts from ThreatFabric have reported on the Zombinder platform, which is gaining popularity on the dark web. Zombinder allows cybercriminals to bind malware to legitimate Android applications, and the creators of the service claim that the resulting malicious apps are undetectable.

The story began when specialists noticed a new malicious campaign targeting both Windows and Android users, distributing several malware families at once, including the Erbium and Aurora stealers, the Laplas clipper, and the Ermac banking trojan.

Infections occur through websites disguised as Wi-Fi authorization portals, which supposedly help users connect to access points. These sites prompt victims to download an app for Windows or Android, allegedly required to continue, but in reality, they distribute various types of malware. According to researchers, thousands of users have already been affected by this campaign, and the Erbium stealer alone managed to steal data from 1,300 individual machines.

How Zombinder Works

While analyzing this campaign, experts discovered an interesting aspect: the Android apps used by the attackers were created using the Zombinder platform, which offers the ability to bind a malicious dropper to legitimate Android applications. Researchers say Zombinder was launched in March 2022 and is becoming increasingly popular among hackers.

The APK files used in this campaign varied. Analysts observed a fake live football streaming app and modified versions of social media applications. All of them functioned properly, as the original app’s functionality was not removed or affected—Zombinder simply adds a malware loader to the original code.

The loader is obfuscated to avoid detection. When a user launches the app, the loader displays a prompt to supposedly install a plugin. This way, it installs a malicious payload on the victim’s device and then runs it in the background.

Bypassing Security and Spreading Malware

The creators of Zombinder claim that such malicious apps are impossible to detect during execution and can bypass Google Protect and antivirus software running on victims’ devices.

As mentioned above, this method is used to spread the Ermac banking trojan among Android users. Ermac is capable of keylogging, overlay attacks, stealing emails from Gmail, intercepting 2FA codes, and stealing seed phrases from cryptocurrency wallets. Similarly, Zombinder helps spread the Xenomorph banking trojan and the Sova malware.

If a victim chooses to download software for Windows from the attackers’ site, their machine simply receives one of the aforementioned desktop malware variants (Erbium, Aurora, or Laplas). Zombinder is not involved in this part of the campaign.

Researchers suggest, “Such a variety of trojans may indicate that the malicious landing page is used by several cybercriminals and is provided to them as part of a third-party malware distribution service.”