Mobile Hacking

Hackers can use a darknet service to Trojanise legitimate Android apps, according to researchers.

Published

on

In an effort to broaden its target audience, researchers have identified a new hybrid malware campaign that targets both Windows and Android operating systems.

A ThreatFabric report provided to The Hacker News indicates that various malware, including ERMAC, Erbium, Aurora, and Laplas, are utilized in the attacks.

“This mission brought about a great many casualties,” the Dutch network protection organization said, adding, “Erbium stealer effectively exfiltrated information from additional then 1,300 casualties.”
The ERMAC infections begin with a phony website that says it sells Wi-Fi authorization software for Android and Windows. Once installed, the software includes features that can steal seed phrases from crypto wallets and other sensitive data.
ThreatFabric claimed that it also discovered a number of malicious apps that were trojanized versions of legitimate apps like Instagram and were being used as droppers by their administrators to deliver the obfuscated malicious payload.

The bogus apps, which are known as Zombinder, are said to have been created using an APK binding service that has been advertised on the dark web since March 2022 by a well-known threat actor.

Android banking trojans like SOVA and Xenomorph, which target customers in Spain, Portugal, and Canada, among other countries, have also been distributed using zombie apps of this kind.

It is interesting to note that the malware-laden website that sells ERMAC has a Windows download option that is intended to install the Erbium and Aurora information thieves on the compromised system.

Not only does Erbium, a malware-as-a-service (MaaS) licensed for $1,000 per year, steal credit card information and passwords, but it has also been seen dropping the Laplas clipper, which is used to hijack crypto transactions.

According to the researchers’ hypothesis, “the presence of such a wide variety of trojans might also indicate that the malicious landing page is used by multiple actors and provided to them as part of a third-party distribution service.”

Leave a Reply

Your email address will not be published. Required fields are marked *

Trending

Exit mobile version