With Christmas a few short days away and present buying (hopefully) all but completed, users of Android phones both new and old might need to be extra vigilant with what they download. A cybersecurity team has discovered a form of malware that can steal Google passwords and run a keylogger to pick up passwords used on an Android phone.
What’s worse is cybercriminals have managed to find a way to attach the form of malware onto legitimate APK’s (application installers) by injecting the virus, or “payload”, into a phone while users install what is, at face value, a legitimate application. Known as “zombinder”, cybersecurity vendor ThreatFabric found the platform on the darknet while investigating a campaign that targeted both Android and Windows users with different types of malware.
The use of zombinder first came to light when ThreatFabric were investigating a trojan (a type of malware that downloads onto a computer disguised as a legitimate program) based around the Ermac Android malware. The researchers discovered that the cybercriminals were using a third-party service – Zombinder – that provided the "glue" to bind the malware dropper capabilities to the legitimate app. Once downloaded, the app – now tied to the malware – operated as expected until an update message appeared
"At this point, if accepted by the victim, the seemingly legitimate application will install this update, which is nothing else than Ermac," researchers at ThreatFabric wrote. "Such a process is achieved by ‘glueing’ [an] obfuscated malicious payload to a legitimate app with minor updates made to original source code to include installation and loading of the malicious payload."
It means that by downloading an innocuous, legitimate piece of third party software, outside the realms of the Google Play Store, could lead to cybercriminals accessing Gmail messages, two-factor authentication codes and, with the malware incorporating a keylogger, can allow criminals unrivalled access to password and other sensitive information written on the Android phone.
So far, researchers have said that the Zombinder malware is only affecting multiple banking apps, but the ease in which it can be installed on the side of these legitimate applications could lead to other applications being targeted. ThreatFabric has seen the malware appear in streaming service apps to Wi-Fi authenticator tools.
The best advice to avoid infecting an Android phone with the malware is to always install applications through Google Play Store or other legitimate digital stores. These apps go through a thorough quality control process which includes ensuring no viruses or malware is secretly encoded into the installation packages.
If all else fails - if it doesn’t look legitimate or seems too good to be true, it usually is. Most apps that include malware are often found on sites other than official distribution platforms and some may ask you to enter into development mode and install unsigned packages. If in doubt, stop.