Android apps are being “poisoned” by this awful malware

Droppers are nothing new, but keep coming back

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Researchers have discovered a program that’s bindingmalwareto legitimateAndroidapplications.

As reported byThe Register, analysts for cybersecurity firm ThreatFabric learned of the “Zombinder” service while investigating another malware spread campaign using the ERMAC banking trojan, malware thatTechRadar Prohas previouslyreportedon.

In theirreport, the researchers said “while investigating ERMAC’s activity, our researchers spotted an interesting campaign masquerading as applications for Wi-Fi authorization. It was distributed through a fake one-page website containing only two buttons.”

ERMAC and Droppers

These buttons acted as download links for Android versions of ERMAC-developed “dummy” applications, which are useless to the end user but are designed to log keystrokes, as well as stealtwo-factor authentication(2FA)codes,emailcredentials andbitcoin walletseed phrases, amongst other things.

However, while some of the malicious apps available from the platform are likely the responsibility of core ERMAC developer DukeEugene, the team also found that some of the apps were disguised as legitimate instances of the Instagram app, as well as other applications that have listings on theGoogle Play Store.

As is often the case with malware campaigns, a“dropper” obtained from the dark webis being used by the threat actors so their apps can evade detection, in this case, Zombinder. Droppers install what is functionally a clean version of the app, but then present users with an update that then contains the malware.

This is a clever delivery system as, particularly with apps that purport to be from common, “trusted” vendors like Meta, as users are more likely to install an update from app developers they recognise.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

This particular dropper service was announced in March 2022 and, according to ThreatFabric, has already become popular with a number of threat actors.

Check out our list of the best identity theft protection right now

These fake Android antivirus apps install a dangerous banking trojan

These two dangerous Trojan ‘dropper’ Android apps have already been installed thousands of times

“Dropper” attacks are largely made possible because of the “open” nature of Android allowing users to “sideload” apps obtained from repositories other than the Google Play Store, and even from app developers themselves.

While this open ecosystem benefits security-conscious users, users seeing it purely as a means of pirating applications that usually cost money, for instance, can become easy pickings for threat actors armed with banking trojans, who are then free to steal data, credentials and even money from innocent users.

Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.

A new form of macOS malware is being used by devious North Korean hackers

Scammers are using fake copyright infringement claims to hack businesses

This super-cheap HP Victus 15 gaming laptop just dropped to its lowest price yet