Malware as a Service: Darknet Hacker Ads Malware To APKs

Rate our article

One of the greatest issues with Apple is that users are forced to download all their software directly from the Apple App store giving Apple even more of your data. And while they claim to keep your data secure, the most valuable business in the world didn’t get there by being the nice guy. That being said, at the moment, Darknet websites have offered a new service that iOS devices won’t be prone to. Malware in APKs.

Darkner Malware Feels Like The Early 2000’s

About a week ago, the anti-fraud and risk suite company “ThreatFabrics” found a new type of malware on multiple Android users and Windows devices. This new Malware they’ve dubbed “the Zombinder” works similarly to the trojan “Ermac” that made its way around the internet back in August 2021, but it’s much harder to track, and it’s spreading way more quickly. 

This is the sort of trojan that was popular in the early internet era’s. However, a service as such is way less effective in 2022. Computers and mobile devices have progressed drastically in their built-in cyber security for fraud prevention. Yet, these hackers still find ways to distribute Trojans. 

While analyzing the activity of the Android banking Trojan Ermac, ThreatFabric’s analysts discovered a campaign employing several Trojans, and targeting both Android and Windows users at the same time, in order to reach as many victims as possible.

ThreatFabric’s Researcher Press Release

The Darknet hackers provide this Zombinder trojan as a malware service. The customer simply needs to provide the APK to the vendor, and from there, they’ll bind the Zombiner malware to legitimate Android apps. 

Downloading Malware Requires WiFi?

Although the darknet customer can make requests to change what information the trojan gathers, its main purpose is to track information on Android Banking apps, and cryptocurrency wallets along with two-factor authentication app details. One of the most recent apps to include the Zombinder trojan is Erbium Stealer. According to ThreatFabric, atleast 1300 users fell victim to the APK-based trojan

One of the ways that scammers “forced” users into downloading the malicious software onto their devices was by redirecting public Wifi pages to a website. 

The “Wi-Fi Atorisation” website (with a misspelling of “authorization”) gave users just two options.

“Download for Android” and “Download for Windows”

For this particular app, the Trojan would gather the following information at all stages while installed on the Android device. 

  • Overlay attacks that steal PII
  • Keylogging Details
  • Collecting Information from  e-mails from Gmail
  • 2FA codes from their apps (Google Auth)
  • Grabbing seed phrases from several cryptocurrency wallets

How does it work? According to ThreatFinder

Threat Actor uses a third-party service provided on the darknet to “glue”, or bind, dropper capabilities to a legitimate application. After downloading the bound application, it will act as usual unless it shows a message stating that the app needs to be updated

ThreatFabric Report

The soccer world cup has played a huge role in the trojan’s recent success. According to FIFA, over 3.5 Billion people watched the FIFA world cup in 2018. In 2022, that number is likely to increase, and this creates a massive platform for hackers to utilize. 

Search results for ” Live football streaming app” have jumped by atleast 1200%. In the websites offering illigal streaming services, the options to download these trojan applications have increased drastically. 

This was the case with “com.aufait.footballlivestream”

Darknet Malware Lucrative Enough

The Darknet vendor that offers the Zombinder service is known as “Threat Actor,” and he was charging clients atleast $5K/month to rent out the trojan (As per information found on Darknet Forums) . As far as ThreatFabric can tell, atleast 467 applications have the trojan. 

Threat Actor would earn $2.33 million per month from this single trojan, making it a very profitable trojan. The earliest traces of Threat Actor’s Zombinder go back to March 2022. Zombinder has grown immensely, which means it’ll likely be patched up by the Android team soon. 

With that being said, the original bender has already announced that he’s working on the next version of the trojan which should include new and improved features.

In promoting the Zombinder service, here’s what Threat Actor had to say. 

You are welcome to our APK binding service!

Why do you need the APK binding?

In general, the binding is needed to install your bot via making a potential victim feel more safe and trust the legitimate software in which your android bot will be embedded.

While creating the binder, the main goal was to code a universal binder that would allow to bind an android bot with almost any legitimate application.

The main requirement to the legitimate application – it should be possible to decompile/re-compile it with apktool.

Main ADVANTAGES of our binder:

– Runtime/Scantime fud

Runtime fud is reached by encrypting your android bot BEFORE binding it. Here, we also offer the bypass of Google Protect alerts and the bypass of the embedded AVs on devices from different manufacturers.

Zombinder Promotional Material

Windows Need A Cleaning

But Zombinder isn’t just for the Android APKs; He also offers services for Windows. The Windows version of Zombinder do work quite differently and uses unique ways to inject the Trojans. According to ThreatFabric, “this campaign has another unique characteristic that we had not observed before and that attracted our attention.”

The desktop version of the Trajan included multiple features.

  • Erbium Stealer: Software that steals passwords, credit card details, cookies, and even offline crypto wallet details. 
  • Laplas Clipper: A new unique darknet software that swaps out wallet addresses online. So when the user adds his wallet address and taps send, the software swaps the address to their own. This makes the trojan less obvious to the users.
  • Aurora Stealer: The software is simple, but it’s about a 300 MB download, so it looks less suspicious to anti-viruses. The Aurora Stealer includes Polymorn Compilations, server data decryption, grabs crypto wallet details (i.e, Metamask) collects passwords and runs TCP sockets.

Conclusions: Darknet Malware Works

All of the banks and apps that Zombinder attacks and steals from are listed on the ThreatFabric Report if you’d like to see them. It’s interesting to see such Trojans still available today, but whether the software will last is another question. We wouldn’t be surprised if Threat Actor is captured or his software loses its ability within the next few months.