Hackers have developed a clever new way to add malware to Android apps

Android malware on phone
(Image credit: Shutterstock)

Security researchers have discovered a new platform on the dark web that allows cybercriminals to easily add malware to legitimate Android apps.

As reported by BleepingComputer (opens in new tab), the platform has been dubbed ‘Zombinder’ by security researchers at ThreatFabric (opens in new tab) who came across it when investigating a malicious campaign distributing multiple types of malware for Android and Windows.

This campaign uses the guise of trying to help users access internet points by impersonating Wi-Fi authorization portals, but it’s actually used to push several different malware strains to unsuspecting users. 

On its landing page, there are two download buttons: one for Android and one for Windows. If a user clicks on the “Download for Windows” button, they get malware designed for Microsoft’s operating system, and ThreatFabric has seen the Erbium stealer, the Laplas clipper and the Aurora info-stealer distributed this way. Meanwhile, the “Download for Android” button is used to distribute the Ermac malware onto vulnerable phones.

Adding malware to legitimate Android apps

A hacker typing quickly on a keyboard

(Image credit: Shutterstock)

Even though this malicious campaign is something to be aware of, Zombinder is much more interesting due to the potential impact it could have on the Android malware market as a whole. 

First launched in March of this year, Zoombinder is a malware packer that can add malicious code to legitimate Android applications. In the time since its release though, it has become increasingly popular among cybercriminals. 

Unlike on the iPhone where you can’t sideload apps, APK files are used to install apps on Android without having to go through the Google Play Store or other first-party app stores. These files can be downloaded and installed on any Android phone, but you first need to enable the ability to install apps from unknown sources in your phone’s settings.

ThreatFabric’s researchers have observed a fake football streaming app and a modified version of the Instagram app being used by cybercriminals to spread malware that was embedded into both apps using Zombinder. What makes these altered apps particularly dangerous is that the creators of Zombinder claim their platform enables malware-embedded apps to bypass Google Play Protect as well as Android antivirus apps.

If you do download and install one of these apps, it will work like intended but the Ermac malware will be loaded onto your device which can log keystrokes, use overlays to steal your passwords, intercept two-factor authentication (2FA) codes and perform other malicious actions.

How to stay safe from malicious Android apps

The first and most important thing you can do to stay safe from malicious Android apps is to avoid sideloading apps unless it’s absolutely necessary. Sometimes you may have to sideload an app for work or to get a specific product to work, but besides that you shouldn’t be installing any app from unknown sources onto your Android smartphone. It may seem tempting but it’s not worth the risk, especially since so much personal data is now stored on our phones.

Instead of sideloading apps, you should only download new ones from the Play Store or other official app stores like the Samsung Galaxy Store or Amazon Appstore. Still, bad apps do manage to slip through the cracks from time to time which is why you should read reviews, check ratings, visit the sites of app developers and really do your research before installing any new app. At the same time, you should also carefully consider which apps you have installed on your devices. Do you really need this particular app, or can you use a stock app to accomplish the same thing?

Now that cybercriminals have an even easier way to add malware to legitimate Android apps, we’ll likely see even more attacks using modified versions of popular apps going forward.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.