Malicious loader programs capable of trojanizing Android apps are being traded under the criminal underbelly for up to $20,000 as a way to evade the defenses of the Google Play Store.
“The most popular categories of apps for hiding malware and unwanted software include cryptocurrency trackers, financial apps, QR code scanners and even dating apps,” Kaspersky said in a new report based on messages posted on online forums between 2019 and 2023.
Dropper apps are the main vehicle for threat actors looking to smuggle malware through the Google Play Store. Such apps often masquerade as seemingly harmless apps, with malicious updates introduced after completing the review process and the apps have amassed a significant user base.
This is achieved by using loader programs which are responsible for injecting malware into clean applications, which are then made available for download from the application market. Users who install tampered apps are asked to grant intrusive permissions to facilitate malicious activity.
Apps may, in some cases, also include an anti-analysis feature to detect whether they are being debugged or installed in a sandboxed environment and, if so, stop them from operating on the compromised device.
As another option, attackers can purchase Google Play developer accounts – either hacked or newly created by a seller – for between $60 and $200, depending on the number of apps published and number of downloads.
App developer accounts that lack strong passwords or two-factor authentication (2FA) protection can easily be hacked and sold, allowing other actors to upload malware into existing apps.
A third alternative is the use of APK binding services, which are responsible for hiding malicious APK files within legitimate applications, for distributing malware via phishing texts and dubious websites advertising hacked games and software.
Binding services, in contrast to loaders, are cheaper due to the fact that poisoned apps are not available through the Google Play Store. Notably, this technique has been used to deliver Android banking trojans such as SOVA and Xenomorph in the past.
Some of the other prohibited services offered for sale in cybercrime marketplaces include malware impersonation ($30), web injection ($25-$80), and virtual private servers ($300), the latter can be used to control infected devices or to redirect user traffic.
Also, attackers can buy installs for their Android apps (legitimate or not) through Google Ads for an average of $0.5. Installation fees vary by target country.
To reduce the risks posed by Android malware, users are advised not to install apps from unknown sources, check app permissions, and keep their devices up to date.