Kaspersky experts analyzing offers of malicious apps on Google Play for sale on the Darknet, have discovered that malicious mobile apps and store developer accounts are being sold up to US$20,000. Using Kaspersky Digital Footprint Intelligence, researchers collected examples from nine different Darknet forums where the purchase and sale of goods and services related to malware is carried out. The report sheds light on how threats sold on Darknet appear on Google Play and also reveals the offers available, price range and features of communication and agreements between cybercriminals.
Even if official app stores are vigorously policed, moderator services can’t always catch malicious apps before they’re uploaded. Every year a vast range of malicious apps are deleted on Google Play only after victims have been infected. Cybercriminals gather on the Darknet – a whole underground digital world with its own rules, market prices, and reputational institutions – to buy and sell Google Play malicious apps, and additional functions to upgrade and even advertise their creations.
Like on legitimate forums for selling goods, there are also various Darknet offers for different needs and customers with different budgets. To publish a malicious app, cybercriminals need a Google Play account and a malicious downloader code (Google Play Loader). A developer account can be bought cheaply, for US$200 and sometimes even for as little as US$60. The cost of malicious loaders ranges between US$2,000 and $20,000, depending on the complexity of malware, the novelty and prevalence of malicious code, as well as the additional functions.
The example of an average offer of Google Play threat
Most often, the malware being distributed is suggested to be hidden under cryptocurrency trackers, financial apps, QR-code scanners and even dating apps. Cybercriminals also highlight how many downloads the legitimate version of that app has, which means how many potential victims can be infected by updating the app and adding malicious code to it. Most frequently the suggestions specify 5,000 downloads or more.
The cybercriminal sells a Google Play threat hidden under the guise of cryptocurrency tracker
For an additional fee, cybercriminals can obfuscate the application code to make it harder to detect by cybersecurity solutions. To increase the number of downloads to a malicious app, many attackers also offer to purchase installs – directing traffic through Google ads and attracting more users to download the app. Installs cost differently for each country. The average price is US$0.50, with offers ranging from US$0.10 to several dollars. In one of the discovered offers, advertisements for users from USA and Australia cost the most – US$0.80.
Fraudsters offer three kinds of work: for a share of the final profit, rent, and full purchase of either an account or a threat. Some sellers even hold auctions to buy their goods, since many sellers limit the number of lots sold. For example, one offer we found, the starting price was US$1,500, with $700 incremental steps in the auction, and the blitz – the instant purchase for the highest price – was $7,000.
Darknet sellers can also offer to publish the malicious app for the buyer so they do not directly interact with Google Play, but can still remotely receive all of the victims’ detected data. It may seem that in such a case the developer can easily deceive the buyer, but it is common among Darknet sellers to preserve and maintain their reputation, promise guarantees, or accept payment after the terms of the agreement have been completed. To reduce risks when making deals cybercriminals often resort to the services of disinterested intermediaries, known as “escrow”. The escrow may become a special service and supported by a shadow platform, or a third party who is not interested in the results of the transaction.
“Malicious mobile apps continue to be one of the top cyberthreats targeting users, with more than 1.6 million mobile attacks detected in 2022. At the same time, the quality of cybersecurity solutions that protect users from these attacks is also increasing. On Darknet, we found messages from cybercriminals complaining how it is now much harder for them to upload their malicious apps to official stores. However, this also means that they will now come up with much more sophisticated circumvention schemes, so users should stay alert and carefully check which apps they are downloading,” comments Alisa Kulishenko, security expert at Kaspersky.