JAKARTA - ERMAC banking Trojans were found infiltrating legitimate Android apps to lure users into installing malware that is difficult to detect by security tools aka anti-virus, through third-party dark web service providers dubbed Zombinder.
Researchers from cybersecurity firm ThreatFabric studied Zoominder while investigating another malware deployment campaign using ERMAC banking trojans. They, targeting Android and Windows users.
The research resulted in evidence of a campaign distributing desktop malware including Erbium, Aurora thief, and Laplas clipper, along with ERMAC.
When investigating ERMAC activity, researchers looked at an attractive campaign that disguised itself as an app for football streaming services to Wi-Fi authentication tools. The malware package attached to it also carries the same name as the legitimate app.
It was distributed over a fake one-page website containing only two buttons. These buttons act as download links to the Android version of the dimmy app developed by ERMAC, which is useless for end users but is designed to record key suppression, as well as steal two-factor authentication code (2FA), email credentials and bitcoin wallets.
Some of the malicious apps available from Zombinder are most likely the responsibility of ERMAC core developer DukeEugene. Researchers also found several applications disguised as legitimate Instagram apps, as well as other apps that have lists on the Google Play Store.
Furthermore, as is often the case in malware campaigns, Droppers obtained from the dark web are used by threat actors so that their app can avoid detection, in this case Zombinder.
Droppers installs what is functionally a clean version of the app, but then gives users an update that then contains malware.
Launching TechRadar, Wednesday, December 14, this is a smart delivery system, especially with apps claiming to come from trusted common vendors like Meta, as users are more likely to install updates from app developers they know.
According to ThreatFabric, the special Dropper service was announced in March 2022 and became popular among threat actors.
Attacks occur because Android has an open nature, where users can install apps obtained from repositories other than the Google Play Store, and even from app developers themselves.
The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language. (system supported by DigitalSiber.id)
