Malware developers have created a thriving market promising to add malicious Android apps to Google Play for $2,000 to $20,000, depending on the type of malicious behavior cyber criminals request.
The exact price for these services is negotiated on a case-by-case basis on hacker forums or Telegram channels, allowing cybercriminals to customize malicious Android apps with their own malware or functionality.
Google Play is Android’s official app store, promoted as a trusted and secure way to install apps on mobile devices that taps into an audience comprising billions of users.
Therefore, being able to add a malicious Android app to the trusted Google Play store provides a wide base of targets to steal credentials and data, conduct financial fraud, or deliver unwanted advertisements.
A thriving Android malware market
In a new report by Kaspersky, researchers illustrate how threat actors offer services that promise the addition of Android malware apps to Google Play.
These services are offered via Telegram, dark web marketplaces, and hacking forums that allow threat actors to promote their services.
The malware developers promise to hide malware in legitimate-looking apps that impersonate antivirus programs, cryptocurrency asset managers, QR-code scanners, small games, and dating apps.
Kaspersky reports that apart from Google Play loaders, which sell for an average of roughly $7,000, cybercriminals also sell services like malware obfuscation for $8 to $30 or “clean” Google developer accounts that cost $60.
These malicious but innocuous-looking apps are published on Google Play but include the ability to fetch malicious code via a later update. Alternatively, users may receive a notification to install another app from an external source.
These services guarantee that the app will remain on Google Play for at least one week, with some developers promising at least 5,000 installs.
Upon installation, the malware loader apps request the user to grant risky permissions like access to the phone’s camera, microphone, or Accessibility Services and prevent access to the app’s main functions until the requests are approved.
Then, the authors of these apps sell access to their loaders to interested buyers and set them to inject additional payloads.
In some cases seen by Kaspersky, the sellers auction their loaders to maximize their profit, starting at $1,500 and setting the “instant purchase” price at $7,000.
To promote these loaders, the sellers publish videos showcasing their features, user-friendly interface, granular targeting filters, and more.
“Cybercriminals may also supplement the trojanized app with functionality for detecting a debugger or sandbox environment,” explains Kaspersky.
“If a suspicious environment is detected, the loader may stop its operations, or notify the cybercriminal that it has likely been discovered by security investigators.”
To increase the number of malware installations via the Google Play loaders, the cybercriminals may also offer to run Google Ad campaigns on account of their customers.
In addition to the loaders, cybercriminals also offer the so-called “binding” services, which involve hiding entire malicious APKs on legitimate applications that can pass Google’s security checks.
Cybersecurity company ThreatFabric also reported about a similar service dubbed ‘Zombinder’ back in December 2022, pushing Erbium Stealer to thousands of victims.
The cost of these services is significantly lower compared to the loaders, asking between $50 and $100 per file.
To defend against these stealthy attacks, Android users should carefully review the requested permissions upon app installation, check user comments on Google Play, and keep the number of installed apps at a minimum.
Even more important, never install Android APKs from third-party sites, as they are a common distribution method for malware.