Hackers have developed a clever new way to add malware to Android apps

Android malware on phone
(Image credit: Shutterstock)

Security researchers have discovered a new platform on the dark web that allows cybercriminals to easily add malware to legitimate Android apps.

As reported by BleepingComputer, the platform has been dubbed ‘Zombinder’ by security researchers at ThreatFabric who came across it when investigating a malicious campaign distributing multiple types of malware for Android and Windows.

This campaign uses the guise of trying to help users access internet points by impersonating Wi-Fi authorization portals, but it’s actually used to push several different malware strains to unsuspecting users. 

On its landing page, there are two download buttons: one for Android and one for Windows. If a user clicks on the “Download for Windows” button, they get malware designed for Microsoft’s operating system, and ThreatFabric has seen the Erbium stealer, the Laplas clipper and the Aurora info-stealer distributed this way. Meanwhile, the “Download for Android” button is used to distribute the Ermac malware onto vulnerable phones.

Adding malware to legitimate Android apps

A hacker typing quickly on a keyboard

(Image credit: Shutterstock)

Even though this malicious campaign is something to be aware of, Zombinder is much more interesting due to the potential impact it could have on the Android malware market as a whole. 

First launched in March of this year, Zoombinder is a malware packer that can add malicious code to legitimate Android applications. In the time since its release though, it has become increasingly popular among cybercriminals. 

Unlike on the iPhone where you can’t sideload apps, APK files are used to install apps on Android without having to go through the Google Play Store or other first-party app stores. These files can be downloaded and installed on any Android phone, but you first need to enable the ability to install apps from unknown sources in your phone’s settings.

ThreatFabric’s researchers have observed a fake football streaming app and a modified version of the Instagram app being used by cybercriminals to spread malware that was embedded into both apps using Zombinder. What makes these altered apps particularly dangerous is that the creators of Zombinder claim their platform enables malware-embedded apps to bypass Google Play Protect as well as Android antivirus apps.

If you do download and install one of these apps, it will work like intended but the Ermac malware will be loaded onto your device which can log keystrokes, use overlays to steal your passwords, intercept two-factor authentication (2FA) codes and perform other malicious actions.

How to stay safe from malicious Android apps

The first and most important thing you can do to stay safe from malicious Android apps is to avoid sideloading apps unless it’s absolutely necessary. Sometimes you may have to sideload an app for work or to get a specific product to work, but besides that you shouldn’t be installing any app from unknown sources onto your Android smartphone. It may seem tempting but it’s not worth the risk, especially since so much personal data is now stored on our phones.

Instead of sideloading apps, you should only download new ones from the Play Store or other official app stores like the Samsung Galaxy Store or Amazon Appstore. Still, bad apps do manage to slip through the cracks from time to time which is why you should read reviews, check ratings, visit the sites of app developers and really do your research before installing any new app. At the same time, you should also carefully consider which apps you have installed on your devices. Do you really need this particular app, or can you use a stock app to accomplish the same thing?

Now that cybercriminals have an even easier way to add malware to legitimate Android apps, we’ll likely see even more attacks using modified versions of popular apps going forward.

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Green skull on smartphone screen.
Over 1 million Android devices infected with password-stealing, pre-installed botnet malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
and image of the Google Chrome logo on a laptop
Google Docs under attack from info-stealing malware — how to keep your data and your emails safe
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
Latest in Malware & Adware
Green skull on smartphone screen.
Malicious Android apps with 60 million installs bombarding phones with ads and phishing attacks — how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Latest in News
iPhone 16 Pro vs iPhone 16 Pro Max in hand showing displays
Forget iPhone 17 — iPhone 18 could get this huge upgrade
The new Husqvarna iQ series robot lawn mower.
Husqvarna’s new robot mowers offer GPS for less
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
NYTimes Connections
NYT Connections today hints and answers — Sunday, March 23 (#651)
NYT Strands on a cellphone
NYT Strands today — hints, spangram and answers for game #385 (Sunday, March 23 2025)
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far