back to article Legit Android apps poisoned by sticky 'Zombinder' malware

Threat researchers have discovered an obfuscation platform that attaches malware to legitimate Android applications to lure users to install the malicious payload and make it difficult for security tools to detect. Analysts with cybersecurity vendor ThreatFabric found the platform, named "Zombinder," on the darknet while …

  1. Jou (Mxyzptlk) Silver badge


    A website which only offers "download Android or Windows" without the usual "you must register", the usual "click here, and then here, and then there, dammit where is the download button now?", without five redirections which end up in 404 and so on? Of course they download it. If the legit sites weren't so bad those simple sites would disappear (or use a different trick). Try getting the newest stuff from IBM for a server, or Intel to name two annoying examples.

  2. Graham Dawson Silver badge

    Because, as everyone knows, the app store has never, ever hosted malware of any sort. To say otherwise is misinformation and should see you purged from the internet. So spake Goo'gol.

  3. bryces666

    Righteous do gooders...

    The app store is so squeaky clean that it won't host apps real people might like to use (e.g. gambling, porno, etc) so people are forced to resort to apps from outside the relative safety of the app store. So Google training us to get apps outside of their store is OK and then it is our fault for sourcing apps in this fashion.

  4. Kevin McMurtrie Silver badge

    To hell with Google

    Google Play Store prohibits apps from using APIs as a way to manipulate competition. I have apps that need fast microSD access but Google hasn't allowed that in over a year. They require apps to use APIs with severely throttled performance.

    Download apps from F-Droid or the developer and they work perfectly.

    I honestly don't think Google has a plan. They want to sell cloud services and siphon data but they're dumbing Android down so much that there's no advantage left over iOS. It's like a boring iPhone, but buggier.

    1. Charlie Clark Silver badge

      Re: To hell with Google

      Other reasons for going outside Play Store: avoid some of the fairly arbitrary geo-blocking that is out there. And some developers prefer to provide APKs directly. For example, Telegram provides a version on its own website without restrictions that I think Google is forced by some governments to require.

  5. Falmari Silver badge

    Wise words from Chris!

    "Malware as a service is a growing problem, allowing any bad actors to cause havoc with little to no programming skills," Hauk told The Register. "This is why users should never install apps from outside of the Google Play Store. ®"

    Wise words indeed, from Chris Hauk, consumer privacy champion at Pixel Privacy.

    WTF is Chris Hauk and Pixel Privacy and for what reason is he quoted at the article's end?

    He is not one of the researchers/analysts investigating Zombinder. Neither is he an advocate for one of the large consumer rights or privacy organizations. He is consumer privacy champion at Pixel Privacy whose website does not ask for consent before it tries to download cookies to my PC like Google Tag Manager. So his opinions on side loading are just that his opinions, no more relevant than a bloke's down the pub.

    The reason the quote is there is to give credence to the article subheading "Sure, go ahead and load APKs instead of using an app store. You won't enjoy the results" and for all we know Chris is just someone the author of the article knows from the pub.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wise words from Chris!

      >for all we know Chris is just someone the author of the article knows from the pub.

      If you can't trust someone you know from the pub, then who's left?

      1. RFC822

        Re: Wise words from Chris!

        It worked for most of our PPE procurement...

    2. Anonymous Coward
      Anonymous Coward

      Re: Wise words from Chris!

      To be fair, the article reads like it was written in the pub after a few.

    3. Dan 55 Silver badge

      Re: Wise words from Chris!

      Pixel Privacy is an SEO name (want to know about privacy on Pixel phones, what two words would you use?) so that's really trustworthy and El Reg must know about F-Droid by now given that every time one of these stores appears about how terrible alternative app stores appears it's mentioned, but it drives engagement...

      1. Jamie Jones Silver badge

        Re: Wise words from Chris!

        Yes. That rather glib comment he made, telling us off for installing from outside the play store sounded like part of an agenda.

        Do you think that there are moves to block third party installs, and Google are testing the water?

        Google already restrict more and more from each version of Android to the next, it's getting crazy.

        If a user clicks yes to "this program wants permissions to send all your emails to us" then who is really to blame?

  6. Lil Endian Silver badge


    Down with Ermacs! VIM Rules!

    1. MiguelC Silver badge


      It's VIRM!

  7. Wade Burchette

    Greedy advertisers

    "The most recent campaign using Zombinder distributed the Xenomorph banking trojan glued to the application from a media downloading company, with the victim lured through malicious ads."

    Once again, greedy advertisers put our security at risk. It seems that once they get paid, the ad runs, no questions asked. Between this and malvertising, is it any wonder why people would use ad-blockers? It is real simple, advertisers: you need to verify the identity of the person paying you, verify what the ad is doing, and carefully examine where the link goes to before you allow the ad to run. And once do all that, do not allow anything to change without another thorough vetting process.

  8. john.w

    Banking Apps

    Never liked the idea of carrying around access to all by banking in my pocket. Decided to use a nice clean spare phone for the apps that are now necessary as no other support is provided by the bank. If only I could remember the safe place I put the phone.

    1. Lil Endian Silver badge

      Re: Banking Apps (+SPS)

      Ah, Safe Place Syndrome! I too am a sufferer!

      I really don't understand why users/companies want to go down the app route over web portals, banks especially considering the risk/loss potential. Loads of unknown native code (on my device), which we accept cannot be considered bug free and I can't audit, creating potential attack vectors - versus plain old web (browser: vulnerable too but only one point to secure).

      Are push notifications really that important to Josephine Blogs?

      I'm happy to be called out of date or whatever. But as a programmer that's 100% focussed on infosec[1] I'm going to remain paranoid, regardless.

      as no other support is provided by the bank - no alternatives for banking? That sucks.

      [1] No, not "cybersecurity" FFS >:|

      1. Lil Endian Silver badge

        InfoSec vs Cybersecurity

        Yes, I understand there's a definitive difference.

      2. Anonymous Coward
        Anonymous Coward

        Re: Banking Apps (+SPS)

        Banks argue that the security of using their app on a phone is significantly higher than using a web browser that may have been infected by one or many of the dodgy sites their users may have frequented.

        Not willing to entrust banking credentials to my phone personally, but their logic sounds plausible.

        Neither am I sure about being willing to trust a financial institution that claims their app contains no bugs, or hasn't been compromised, and ends up victim blaming and gaslighting the customer for financial losses incurred as a result, cough Santander. In this particular case, it is believed the root cause was that the victim's SIM was transferred to an alternative phone, thereby not requiring the user's PIN, and allowing the thief to read OTP SMSs from the bank - massive security hole :(((

        Santander - a bank that doesn't even use multi-factor authentication.

        1. Jou (Mxyzptlk) Silver badge

          Re: Banking Apps (+SPS)

          > Not willing to entrust banking credentials to my phone personally, but their logic sounds plausible.

          The banks here all offer an alternative device for two factor, so I don't need my spyphone for that. Can only speak for Germany though. Caveat: That extra device is not free, somoewhere 'round the 20€ region, but that is worth keeping bank auth away from the wanna-be-smart phone.

    2. Anonymous Coward
      Anonymous Coward

      Re: Banking Apps

      Applications handling sensitive or financial info should be open source in order to level the field between white and black hats.

  9. Anonymous Coward
    Anonymous Coward

    Good news

    > "binding is needed to install your bot via making a potential victim feel more safe …"

    Nice to see these guys finally starting to care about their victims feelings.

  10. Anonymous Coward
    Anonymous Coward

    "This is why users should never install apps from outside of the Google Play Store.

    use an google play store apk extractor instead :)

  11. jollyboyspecial Silver badge

    Sideloading has always been a bad idea unless you have a really, really good reason. Enabling that functionality punches a big hole in your security, so it makes sense to only enable the functionality when you absolutely need it then disable it once done. Most phones make it pretty damned difficult to enable the functionality, but I know people who enable it as soon as they get a new phone. The weird thing is that at least one of these people never ever sideloads anything - they were just showed how to do it once and have since enabled it one every phone they've owned.



      Each and every FOSS app from f-droid is more trustworthy than the PlayStore malware.

    Thumb Down


    "This is why users should never install apps from outside of the Google Play Store." -- Plain nonsense. As others have pointed out already, the official PlayStore is full of malicious apps. Those are found on a nearly regular basis. Some may indeed have evaded Googles "checks", some others ...?

    I for one use iodé instead of Android which doesn't have Google Play installed. I fetch what I need from f-droid or directly from the - trustworthy - manufacturer (e.g. AVM, Threema, Wire). I feel perfectly safe.

    Apps (only non-paid) from the PlayStore, if really needed and not available otherwise, I get with the help of the FOSS Aurora app.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like