Zombinder is a service for sale on the Dark Web that allows cyber attackers to easily add malware to legitimate apps: the risk is stealing personal information from Android and Windows Operating Systems.

The attackers are launching malicious campaigns to distribute multiple families of malware on Windows and Android platforms. To do so, they use a darknet platform dubbed Zombinder that associates malicious payloads with legitimate Android apps.

Zombinder uses modified versions of Instagram, WiFi Auto Authenticator, Football Live Streaming, VidMate and popular banking apps on which it embeds malicious code.

Several malicious Web sites were identified. The pages carried links in the form of buttons, such as “Download for Android” or “Download for Windows.” Clicking on them downloads a modified version of an APK of the legitimate app (with which it presents itself to the unsuspecting public) with obfuscated payload code.

After installation, the app works normally and displays a message that the app needs to be updated. At this point, if the victim accepts, the seemingly legitimate app will install the update or a plugin, which is highly sophisticated malware.

Among the types of payloads detected, Android malware such as Sova trojan, Xenomorph trojan, and Ermac (a new Ermac.C variant) are found in the search. If the visitor clicks on “Download for Android,” Windows malware such as Erbium stealer, Laplas clipper and Aurora info-stealer are downloaded.

The campaign resulted in thousands of victims, which demonstrated the common element in the Erbium info stealer that successfully exfiltrated the data of more than 1,300 victims.

It is good to remember that users can protect themselves from Zombinder and other similar malware by avoiding third-party app download sites and APKs; in fact, reputable developers do not use to upload their apps to such sites, so most of them are placed by third parties, probably without permission and with dubious purposes.