Malicious apps on Google Play are being traded on the darknet and cyber criminals can make up to US$20 000 on a sale.
This is according to research by Kaspersky Digital Footprint Intelligence which investigated nine different darknet forums that trade in malware-related goods and services.
The report sheds light on how threats sold on the darknet appear on Google Play and also reveals the offers available, price range and features of communication and agreements between cyber criminals.
According to Kaspersky, even though official app stores are vigorously policed, moderator services can’t always catch malicious apps before they’re uploaded.
Every year a vast range of malicious apps are deleted on Google Play only after victims have been infected.
“Cyber criminals gather on the darknet – a whole underground digital world with its own rules, market prices, and reputational institutions – to buy and sell Google Play malicious apps, and additional functions to upgrade and even advertise their creations,” the digital security firm states.
It continues: “Like on legitimate forums for selling goods, there are also various darknet offers for different needs and customers with different budgets. To publish a malicious app, cybercriminals need a Google Play account and a malicious downloader code (Google Play Loader). A developer account can be bought cheaply, for US$200 and sometimes even for as little as US$60. The cost of malicious loaders ranges between US$2,000 and US$20,000, depending on the complexity of malware, the novelty and prevalence of malicious code, as well as the additional functions.”
Cyber criminals gather on the darknet – a whole underground digital world with its own rules, market prices, and reputational institutions...
Kaspersky
Kaspersky adds that for an additional fee cyber criminals can muddle the application code to make it harder for cyber security solutions to detect. “To increase the number of downloads to a malicious app, many attackers also offer to purchase installs – directing traffic through Google ads and attracting more users to download the app. Installs cost differently for each country. The average price is US$0.50, with offers ranging from US$0.10 to several dollars. In one of the discovered offers, advertisements for users from the USA and Australia cost the most – US$0.80.”
The cyber security firm explains that fraudsters offer three kinds of work: for a share of the final profit, rent, and full purchase of either an account or a threat. Some sellers even hold auctions to buy their goods, since many sellers limit the number of lots sold. For example, in one offer that was found, the starting price was US$1 500, with US$700 incremental steps in the auction, and the blitz – the instant purchase for the highest price - was US$7 000.
Darknet sellers can also offer to publish the malicious app for the buyer so they do not directly interact with Google Play, but can still remotely receive all of the victims' detected data. It may seem that in such a case the developer can easily deceive the buyer, but it is common among darknet sellers to preserve and maintain their reputation, promise guarantees, or accept payment after the terms of the agreement have been completed.
To reduce risks when making deals, cyber criminals often resort to the services of disinterested intermediaries, known as “escrow”. The escrow may become a special service and supported by a shadow platform, or a third party who is not interested in the results of the transaction.
Alisa Kulishenko, security expert at Kaspersky, says malicious mobile apps continue to be one of the top cyber threats targeting users, with more than 1.6 million mobile attacks detected in 2022. At the same time, the quality of cyber security solutions that protect users from these attacks is also increasing. "On the darknet, we found messages from cyber criminals complaining how it is now much harder for them to upload their malicious apps to official stores. However, this also means that they will now come up with much more sophisticated circumvention schemes, so users should stay alert and carefully check which apps they are downloading."
Share