Malicious Google Play apps are sold for up to $20,000 on underground online marketplaces, with cryptocurrency trackers, financial apps, QR-code scanners, and dating apps being the most targeted application categories to hide malware, according to new research from antivirus firm Kaspersky.  

The findings come after the Russian-based multinational firm analyzed offers of malicious apps for sale on nine popular darknet marketplaces between 2019 and 2023, identifying new details about how these malicious programs evade the security of tech giants and poison the Play Store. 

While Google takes down a large number of malicious apps every year, researchers found that threat actors constantly continue to succeed in finding new ways to hide malware in legitimate apps. In October 2022, Meta reported hundreds of malicious Android apps in the Play store that stole sensitive data from Facebook users. A month later, a set of four malicious apps on the Google Play Store were found to have been downloaded over one million times.  

Like legitimate marketplaces, darknet forums offer a variety of products to fulfill the needs and budgets of different customers. Obtaining a Google Play account can be bought cheaply for $60 to $200, and various types of malicious loaders can be sold for prices ranging between $2,000 and $20,000, depending on the functions and complexity. On average, the price for a loader is $6,975, but it can reach even higher if buyers want the loader source code, according to Kaspersky. 

Alisa Kulishenko, a security researcher at Kaspersky, said these loaders - used to inject malicious or unwanted code into the app - are the most popular Play Store threats offered on underground forums.  

"Among the loader features, their authors may highlight the user-friendly UI design, convenient control panel, victim country filter, support for the latest Android versions, and more," said Kulishenko, adding that cybercriminals sometimes provide video demonstrations or demo versions to potential customers, while also offering additional trojanized apps to detect debugger or sandbox environments.  

"If a suspicious environment is detected, the loader may stop its operations, or notify the cybercriminal that it has likely been discovered by security investigators."  

For buyers with limited budgets, these marketplaces also offer cheaper binding services for $50 to $100 or $65 per file. Similar to loaders, they are also designed to hide malicious or unwanted APK files in legitimate apps, but because their malicious code is not customized for Android applications, they are more likely to be detected by Play Store security checks and results in a lower successful installation rate.  

Besides Google Play loaders and binding services, other services include malware obfuscation which helps buyers better bypass security checks by complicating malicious code, and installation services to increase the number of downloads. Darknet sellers also provide additional services to help buyers publish malicious apps so that buyers do not need to spend time interacting with the Play Store directly.  

Kulishenko said sellers accept payment through a number of novel methods. "The services can be provided for a share of the final profit, rented, or sold for a one-time price. Some sellers also hold auctions of their goods: since the number of items sold is limited, they are not very likely to be discovered, so buyers may be willing to compete for them," she explained.  

In 2022, Kaspersky detected over 1.6 million malicious or unwanted software installers targeting mobile users. While the Play Store is enhancing its app security by taking further steps, such as recently mandating account deletion for Play Store apps, researchers expect threat landscape to become "more complex and advanced" in the future.  

"The quality of cybersecurity solutions that protect users from these attacks is increasing. On [these marketplaces], we found messages from cybercriminals complaining how it is now much harder for them to upload their malicious apps to official stores. However, this also means that they will now come up with much more sophisticated circumvention schemes, so users should stay alert and carefully check which apps they are downloading," Kulishenko said.