Depending on the type of malicious behaviour that online criminals demand, malware producers have established a booming market. This is where they offer to add dangerous Android malware apps to Google Play for anywhere between $2,000 and $20,000.
On hacker forums or Telegram channels, the specific cost of these services is negotiated case-by-case, enabling cybercriminals to tailor dangerous Android malware apps with their virus or functionality. The official app store for Android, Google Play, is marketed as a reliable and secure way to download apps for mobile devices. It reaches a market of billions of consumers.
As a result, the ability to submit Android malware software to the reputable Google Play store offers a large pool of potential victims from whom to steal login information and data, commit financial fraud, or distribute unwanted adverts.
Researchers from Kaspersky have shown how threat actors advertise services that claim to deliver Android malware apps to Google Play. Threat actors are able to advertise their services using Telegram, dark web marketplaces, and hacking forums.
The malware creators guarantee that their malicious software will be concealed in apps that mimic antivirus software, bitcoin asset managers, QR-code scanners, trivial games, and dating apps.
In addition to Google Play loaders, which cost an average of around $7,000, Kaspersky claims that fraudsters also provide services like virus obfuscation for $8 to $30 and “clean” Google developer accounts for $60.
These deceptive apps with innocent-looking interfaces are available on Google Play but can later be updated to fetch dangerous code. Alternatively, consumers can see a notification urging them to download an external app.
With some developers guaranteeing 5,000 installs at the very least, these services ensure that the software will be on Google Play for at least one week.
The malware loader apps withhold access to the app’s primary features unless the user grants dangerous permissions at the time of installation, such as access to the phone’s camera, microphone, or accessibility services.
The creators of these apps then provide interested parties access to their loaders and instruct them to inject new payloads. In other instances that Kaspersky has observed, the sellers auction their loaders to increase their profit. The beginning bid is $1,500, and the “immediate purchase” price is $7,000 in these cases.
The sellers of these loaders release movies displaying their capabilities, user-friendly user interface, fine-grained targeting filters, and more in order to promote them.
According to Kaspersky, “Cybercriminals may also add capability for identifying a debugger or sandbox environment to the trojanized app.” The loader may halt its operations or alert the cybercriminal that security investigators have probably found it if a suspicious environment is noticed.
The cybercriminals may also offer to execute Google Ad campaigns for their clients in an effort to enhance the number of malware installations made possible by the Google Play loaders.
The so-called “binding” services, including concealing full malicious APKs on legal apps that can pass Google’s security checks, are another service fraudsters provide alongside loaders.
In December 2022, the cybersecurity firm ThreatFabric also revealed that a similar service known as “Zombinder” was being used to spread Erbium Stealer to thousands of victims. When compared to loaders, these services are substantially less expensive, costing between $50 and $100 per file.
Android users should carefully analyze the permissions sought during app installation, look up user reviews on Google Play, and keep the number of installed apps to a minimum to protect themselves from these covert attacks. Even more, avoid installing Android APKs from third-party websites because they are a typical way for malware to spread.
To get beyond Google Play Store security, malicious loader programs that can trojanize Android applications are sold for up to $20,000 on the dark web. Based on posts made on internet forums between 2019 and 2023, Kaspersky claimed in a recent analysis that “the most popular program categories to hide malware and undesirable software include cryptocurrency trackers, banking apps, QR-code scanners, and even dating apps.”
Dropper apps are the main tool threat actors use to smuggle malware through the Google Play Market. These apps frequently pass for seemingly innocent ones, but malicious upgrades are released after they pass the review process and gain a sizable user base. This is accomplished by utilizing a loader application, which injects malware into a clean app before making it accessible for download from the app store. When users install the modified program, they are asked to give it invasive permissions to enable nefarious operations.
In certain cases, the apps also have anti-analysis characteristics that let them recognize when they are being debugged or deployed in a sandboxed environment and, if so, stop operating on the infected devices. Another method is for threat actors to buy a Google Play developer account, which they may do for $60 to $200, depending on how many apps have already been released and how many downloads they have received.