Authentic Android Apps are being trojanized using “Zombinder” Darknet Service (13th December 2022)

Ref# AL2022_87 | Date: Dec 13th 2022


Threat actors can attach malware to trustworthy Android apps via the darknet platform known as “Zombinder,” leading victims to become infected while still accessing the full functionality of the original app to avoid detection. 


According to a ThreatFabric report, the attacks involve the employment of various malware including ERMAC, Erbium, Aurora, and Laplas. A fraudulent website that offers Wi-Fi authorisation software for Android and Windows and, when installed, has features to steal seed phrases from crypto and other sensitive data, is where the ERMAC infections first appear. 

Several malicious apps, including trojanized versions of popular apps like Instagram, were also reported by ThreatFabric, with their operators utilizing them as droppers to spread the malware”s obfuscated payload. 

These malicious apps, known as Zombinder, are alleged to have been created using an APK binding service that has been promoted on the dark web since March 2022 by a well-known threat actor. 

The distribution of Android banking trojans like SOVA and Xenomorph, which target users in countries like Spain, Portugal, and Canada, among others, has been facilitated by such zombie apps. 

It”s interesting to note that the Windows download option on the malicious website that hosts ERMAC is intended to install the Erbium and Aurora information thieves on the affected PC. 

The Zombinder service provider claims that the noxious app bundles made with it are imperceptible in runtime and can bypass Google Ensure alarms or AVs running on the target devices.  

The campaign drops an Ermac payload for Android, able of performing keylogging, overlay assaults, taking emails from Gmail, interference 2FA codes, and taking crypto wallet seed expressions. The presence of such a wide variety of trojans might also indicate that the malicious landing page is used by multiple actors and provided to them as a part of a third-party distribution service,” the ThreatFabric researchers theorized. 


Analysts should remain alert of existing and emerging threat actors including both desktop and mobile threats. 

Administrators can also apply various measures to mitigate the impact of this threat. These include: 

  • Training users on spotting questionable application behaviour, social engineering attempts and guarding against malware infections. 

  • Avoid using admin-level service accounts that are domain-wide.  

  • Block executable files from running unless they meet a prevalence, age, or trusted list criterion. 

  • Use advanced protection against ransomware. 

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary. 

PDF Download: Authentic Android Apps trojanized.pdf