BleepingComputer recently reported that some darknet shops are now using custom mobile “darknet apps” to distribute their products. This measure is taken to increase the security for the shop vendors so that they do not have to rely on other distribution channels like Telegram.
But the problem is that while it lowers the risk for the distributor, it significantly increases the risk for the customer. We strongly recommend not using such apps for a number of reasons.
The most obvious is that there is no guarantee that these apps are technically secure. According to BleepingComputer, these apps mostly are built on the M-Club CMS engine which codebase was never audited and more importantly, it was not designed with security and privacy for the end user in mind. It is quite likely that there are critical security vulnerabilities in these apps which may not even have been found.
Compromising mobile devices
Another, possibly even more problematic issue is that you compromise the security of your mobile device. While we are not accusing any of these vendors to exploit their userbase, if you install such an app on your mobile device you are at the mercy of whoever distributed that app. Security on mobile devices is much less robust as on a PC as is, but if you install an untrusted app from a darknet shop, you can never know if this app does not maliciously infiltrate your device to harvest sensitive information.
From a vendor’s perspective the decision to use custom apps seems reasonable, since in the past year a number of Telegram channels have been infiltrated by law enforcement which then were able to shut down the shops and arrest the people running it. But it is a more than questionable choice to improve the security for the vendor while at the same time exposing the user base to a much higher risk.
For all these reasons we strongly recommend that users should trust their darknet shopping to established shops and markets protected by the Tor protocol (.onion domains). These sites may not load as fast and are possibly not always available (due to DDoS and other technical issues) but they maximize security for both users and vendors at the same time.
It is understandable that some darknet vendors rather use Telegram or their own custom apps not only because of the reasons mentioned above but also because it takes much less effort. To set up and run an onion site in a secure manner requires technical expertise and time. But that is just another reason why these sites are more trustworthy because the people who are running them usually know what they are doing.