How much to infect Android phones via Google Play store? How about $20k

If you want to sneak malware onto people's Android devices via the official Google Play store, it may cost you about $20,000 to do so, Kaspersky suggests.

This comes after the Russian infosec outfit studied nine dark-web markets between 2019 and 2023, and found a slew of code and services for sale to infect and hijack the phones and tablets of Google Play users.  

Before cybercriminals can share their malicious apps from Google's official store, they'll need a Play developer account, and Kaspersky says those sell for between $60 and $200 each. Once someone's bought one of these accounts, they'll be encouraged use something called a loader.

Uploading straight-up spyware to the Play store for people to download and install may attract Google's attention, and cause the app and developer account to be thrown out. A loader will attempt to avoid that: it's software a criminal can hide in their otherwise innocent legit-looking app, installed from the official store, and at some convenient point, the loader will fetch and apply an update for the app that contains malicious code that does stuff like steal data or commit fraud.

That update may ask for extra permissions to access the victim's files, and may need to be pulled from an unofficial store with the victim's blessing; it depends on the set up. The app may refuse to work as normal until the loader is allowed to do its thing, convincing marks into opening up their devices to crooks. These tools are more pricey, ranging from $2,000 to $20,000, depending on the complexity and capabilities required.

"Among the loader features, their authors may highlight the user-friendly UI design, convenient control panel, victim country filter, support for the latest Android versions, and more," according to the Kaspersky report, which says cybercriminals sometimes include instructional or demonstration videos with the listing, or offer to send demo versions for prospective customers.

"Cybercriminals may also supplement the trojanized app with functionality for detecting a debugger or sandbox environment," the researchers added. "If a suspicious environment is detected, the loader may stop its operations, or notify the cybercriminal that it has likely been discovered by security investigators."

Would-be crims who don't want to pay thousands for a loader can pay substantially less — between $50 and $100 — for a binding service, which hides a malicious APK file in a legitimate application. However, these have lower successful install rates compared to loaders, so even in the criminal underground you get what you pay for.

Some other illicit services offered for sale on these forums include virtual private servers ($300), which allow attackers to redirect traffic or control infected devices, and web injectors ($25 to $80) that look out for victims' visiting selected websites on their infected devices and replacing those pages with malicious ones that steal login info or similar.

Criminals can pay for obfuscation of their malware, and they may even get a better price if they buy a package deal. "One of the sellers offers obfuscation of 50 files for $440, while the cost of processing only one file by the same provider is about $30," Team Kaspersky says.

Additionally, to increase the number of downloads to a malicious app, thus making it more attractive to other mobile users, attackers can buy installs for 10 cents to $1 apiece.

• Google: If your Android app can create accounts, it better be easy to delete them, too
• Mozilla says 80 percent of Google Play's app safety labels are inaccurate
• Malware disguised as Tor browser steals $400k in cryptocash
• Check out this Android spyware, says Microsoft, the home of a gazillion Windows flaws

To be clear, Google Play doesn't intentionally allow the sale of malicious apps on its store. However, even with pre-screening apps and removing malicious ones as soon as they are spotted, criminals still find ways to bypass these security measures and upload malware-infected applications to official stores.

Last year alone, Kaspersky said it uncovered more than 1.6 million malicious or unwanted software installers targeting mobile users. Unfortunately, the security shop predicts these threats will only become "more complex and advanced" in the future.

To avoid becoming an unwitting victim, the researchers remind users not to enable the installation of unknown apps, and always check app permissions to make sure they're not accessing more than they need to perform their functions.

Also, for organizations: protect developer accounts from being hijacked to spread malware by using strong passwords and multi-factor authentication. It's also a good idea to monitor dark-web forums for credential dumps, in case yours are listed. ®