To get beyond Google Play Store security, malicious loader programs that can trojanize Android applications are sold for up to $20,000 on the dark web.
Based on posts made on internet forums between 2019 and 2023, Kaspersky claimed in a recent analysis that “the most popular application categories to hide malware and unwanted software include cryptocurrency trackers, financial apps, QR-code scanners, and even dating apps.”
The main tool used by threat actors to smuggle malware through the Google Play Store is dropper apps. These apps frequently pass for seemingly innocent ones, but after they pass the review process and gain a sizable user base, malicious upgrades are released.
This is accomplished by utilizing a loader application, which injects malware into a clean app before making it accessible for download from the app store. When users install the modified program, they are asked to give it invasive permissions that will enable nefarious operations.
In certain cases, the apps also have anti-analysis characteristics that let them to recognize when they are being debugged or deployed in a sandboxed environment and, if so, stop operating on the infected devices.
Another method is for threat actors to buy a Google Play developer account, which they may do for $60 to $200, depending on how many apps have already been released and how many downloads they have received.
A weak password or two-factor authentication (2FA) protection for app developer accounts can be easily hacked and sold, allowing other actors to install malware to already-existing apps.
The use of APK binding services, which conceal a malicious APK file in a legitimate program, is a third option for disseminating malware through phishing emails and dubious websites promoting cracked software and games.
Due to the poisoned apps’ absence from the Google Play Store, binding services—as opposed to loaders—cost less. Notably, the method has already been employed to distribute Android banking trojans like SOVA and Xenomorph.
Web injects ($25–$80), malware obfuscation ($30), and virtual private servers ($300), which can be used to control infected devices or reroute user traffic, are a few more illegal services that can be purchased on cybercrime markets.
Additionally, attackers can pay an average of $0.5 through Google Ads to purchase installs of their Android apps, whether they are legitimate or not. Depending on the country being targeted, installation expenses change.
Users are advised to avoid installing apps from untrusted sources, carefully review app permissions, and keep their devices up to date in order to reduce the threats posed by Android malware.