How Much To Infect Android Phones Via Google Play Store? How About $20K

If you want to sneak malware onto people's Android devices via the official Google Play store, it may cost you about $20,000 to do so, Kaspersky suggests. The Register reports: This comes after the Russian infosec outfit studied nine dark-web markets between 2019 and 2023, and found a slew of code and services for sale to infect and hijack the phones and tablets of Google Play users. Before cybercriminals can share their malicious apps from Google's official store, they'll need a Play developer account, and Kaspersky says those sell for between $60 and $200 each. Once someone's bought one of these accounts, they'll be encouraged use something called a loader.

Uploading straight-up spyware to the Play store for people to download and install may attract Google's attention, and cause the app and developer account to be thrown out. A loader will attempt to avoid that: it's software a criminal can hide in their otherwise innocent legit-looking app, installed from the official store, and at some convenient point, the loader will fetch and apply an update for the app that contains malicious code that does stuff like steal data or commit fraud. That update may ask for extra permissions to access the victim's files, and may need to be pulled from an unofficial store with the victim's blessing; it depends on the set up. The app may refuse to work as normal until the loader is allowed to do its thing, convincing marks into opening up their devices to crooks. These tools are more pricey, ranging from $2,000 to $20,000, depending on the complexity and capabilities required.

Would-be crims who don't want to pay thousands for a loader can pay substantially less -- between $50 and $100 -- for a binding service, which hides a malicious APK file in a legitimate application. However, these have lower successful install rates compared to loaders, so even in the criminal underground you get what you pay for. Some other illicit services offered for sale on these forums include virtual private servers ($300), which allow attackers to redirect traffic or control infected devices, and web injectors ($25 to $80) that look out for victims' visiting selected websites on their infected devices and replacing those pages with malicious ones that steal login info or similar. Criminals can pay for obfuscation of their malware, and they may even get a better price if they buy a package deal. "One of the sellers offers obfuscation of 50 files for $440, while the cost of processing only one file by the same provider is about $30," Team Kaspersky says. Additionally, to increase the number of downloads to a malicious app, thus making it more attractive to other mobile users, attackers can buy installs for 10 cents to $1 apiece. Kaspersky's report can be found here.

Why the variation?

[fermion]

Isnâ(TM)t a google play account a fixed item. Do you get more access, more analytics to monetize your users, if you pay more?

Re:

[F.Ultra]

No this is google play accounts sold by dark-web sellers. Aka as a cyber criminal you don't want to purchase an account directly from Google so that they can track you.

kaspersky raises questions

[iggymanz]

I only ever see Kaspersky doing good, yet our government says they're the spawn of satan even as they themselves censor citizens, weaponize IRS, FBI, DHS etc. against them, spy on them...

Re:kaspersky raises questions

[jonwil]

The problem I suspect isn't Kaspersky, its that Russia has the ability to access any and all data held by Kaspersky. (similar to how the Chinese government has the ability to access any and all TikTok user data)

Re:

[fermion]

Just like anyone who has a wad of cash, including the Russian and Chinese, can get all your personal data from google.

Re:

[iggymanz]

and of course U.S. social media and other companies never violated U.S. citizens privacy to spy on them for profit, lolz

Re:

[Moskit]

..and USA agencies are able to access the data collected by USA companies. It's just national interests.

Re:

[iggymanz]

and the US government spies on its own citizens and other countries, and even foments uprisings and wages war against those that didn't attack it.

Re: kaspersky raises questions

[SleepingEye]

Except you'll notice that the article is filled with misleading terms and numbers. Sure, there MAY be malware... OR there might not be. There were millions of install*ER*s.. which i can generate in 20 minutes cycling through random names. How many actual installs? 0?

Re:kaspersky raises questions

[gweihir]

Generally speaking, Kaspersky is probably a lot less corrupted than all the western AV vendors. It certainly has no problem exposing _all_ malware it finds (no exceptions for the scumbags at the NSA) and it does good work. Now, if you have especially sensitive data on a system, you most decidedly want _no_ AV at all, because on the level none of them is trustworthy. But even then, Kaspersky is probably more trustworthy, because they are under special scrutiny and anything found would get blown up to the max and they would likely go out of business.

No surprise here.

[kurkosdr]

The fact a concept as simple as a loader (basically a piece of code that downloads malware from a server and runs it) can bypass Google Bouncer showcases the folly of trying to replace property ID verification with "analytics" and "AI". Apple made the right choice by identifying developers before allowing them to upload to their app store. It's not a perfect defense, but much better than allowing everyone to upload without being able to track them down.

Re:

[kurkosdr]

property ID verification = proper ID verification (sorry)