The new ‘Zombinder” platform links Android malware to legitimate apps

Darknet platform called “Zombinder” allows threat actors to attach malware to legitimate Android applications, infecting victims while keeping the app’s full functionality.

ThreatFabric discovered this new platform after it spotted malware campaigns on Android and Windows that distributed multiple malware families.

This campaign pretends to be Wi-Fi authorization portals that allow users to connect to the internet. It is intended to lure people into downloading various malware families. After that, the site prompts users to choose between a Windows and Adware version. This is actually malware.

the operation has left thousands dead, and Erbium-stealing infections have stolen data from over 1,300 computers.

Landing page distributing malware


Zombinder for Android

The darknet service (which the researchers called “Zombinder”), offers malware APK binding to Android apps. This is an interesting part of the campaign.

Zombinder was launched on March 20, 2022, as a malware packager for APK files. ThreatFabric says it’s now becoming more popular within the cybercrime community.

This campaign used different APKs. Analysts reported seeing fake streaming apps for live football and an altered version of the Instagram app.

Because the function of legitimate software has not been removed, these apps still work. Zombinder instead adds a malware loader in its code.

To avoid detection, the loader has been disguised so that when the user opens the app the loader prompts them to download a plugin. The loader will launch a malicious payload in the background if the user accepts the prompt.

Streaming app used in the campaign


According to Zombinder, malicious apps bundles that are created using it can be detected in runtime by Google Protect and other AVs on target devices.

Zombinder service promotional post


Campaign drops an payload to Android. It is capable of keylogging, overlay attacks and theft emails from Gmail.

Windows malware

Clicking on “Download for Windows” will download Windows malware, instead.

ThreatFabric has seen the and the as well as the .

All of these malware variants are highly dangerous and capable, currently being developed. They can be rented for as little as $100 per month to cybercriminals.

Given the overlap between these malware strains’ capabilities, threat actors are likely to experiment with different tools in order to find the best one for them.

Commodity malware is now so easy to access that even the most experienced threat actors are able to quickly swap their tools, expand their portfolios and invest more.

ThreatFabric believes that the large number of trojans sent by different landing pages could indicate that one third-party malware distribution site serves many threat actors.