Are you sure that's Instagram? This nasty malware latches on to legit apps and steals your data

Android malware
(Image credit: Getty Images/GoodLifeStudio)

Cybersecurity researchers at ThreatFabric discovered a new threat dubbed "Zombinder" that lets cybercriminals bind malicious software to legitimate Android apps, wreaking havoc on your Android device.

Zombinder sounds like a living-dead menace for a reason. It's a third-party service on the darknet that deploys nasty malware entities like Ermac. It quietly makes its way into quarries' Android devices, but once it bites, all hell breaks loose.

Watch out for Zombinder and its weapon of choice: Ermac

So what, exactly, is Ermac? It's a dangerous data-stealing malware. The sample that ThreatFabric discovered during its investigation can snatch personal identifiable information, grab your emails from the Gmail app, spy on your two-factor authentication codes, and steal your seed phrases from numerous crypto wallets. Yikes!

ThreatFabric researchers found Ermac bound to legitimate Android applications, including Instagram. How does this happen? As mentioned, Zombinder is a darknet service, and it's unleashing APK files that feature genuine Android apps with malicious software. 

"After downloading the bound application, [the app] will act as usual," ThreatFabric warned. However, the app will eventually show a message indicating that it needs to be updated. Once the victim accepts this "update," the app will install something sinister. It's not really an update, of course — it's the dreaded Ermac malware.


ThreatFabric (Image credit: ThreatFabric)

ThreatFabric also discovered Ermac masquerading as a fake Wi-Fi authorization application, distributed via a fraudulent one-page website containing only two links. Once the user clicks "Download for Android," they're done for. (Clicking the "Download for Windows" button leads to the victim downloading a host of Windows trojans, including Ebrium Stealer and Laplas Clipper.)

Ermac isn't the only malicious Android hazard ThreatFabric found during its investigation. Researchers found the Xenomorph banking trojan glued to a legitimate app called VidMate, a free app that lets you download online videos. Cybercriminals rolled out an inauthentic page that mimics VidMate's real website, baiting victims to download the infected file.


VidMate distributing Xenomorph (Image credit: ThreatFinder)

And trust me, you don't want Xenomorph on your device. This nasty malware is an Android banking trojan that steals your credentials from banking applications.

The Zombinder campaign kicked off in the cybercriminal community in March 2022, and now it's growing in popularity among threat actors. Be sure to check out our best mobile antivirus apps to protect yourself and your devices from malicious hackers.

Kimberly Gedeon

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!