Kaspersky Lab experts report that $20,000 can be used to purchase a malicious application that a victim can download from the Google Play Store.
Experts studied 9 darknet markets between 2019 and 2023 and found a lot of codes and services for sale to infect and hack users' devices through Google Play.
In order to inject a malicious app into Google Play, cybercriminals need to buy a Play developer account at a price of $60 to $200 each. Once the account is purchased, the attacker will be able to use the malware downloader.
Spyware in the Play Store can get Google's attention and result in the removal of the app and the developer's account. The downloader helps to avoid deletion - the program "hides" in a harmless-looking application (dropper) installed from Google Play, and at some point the downloader will install an update that contains malicious code that allows a hacker to steal data or money.
The update may also request additional permissions to access the victim's files, and the application may refuse to run until the necessary privileges are granted. These tools are more expensive, ranging from $2,000 to $20,000, depending on the complexity and features required.
According to Kaspersky Lab researchers, a trojanized application may also have debugger or sandbox detection features. If a suspicious environment is detected, the bootloader can stop its work or notify the cybercriminal that the malicious activity was probably noticed by information security specialists.
Criminals who don't want to pay thousands of dollars for a downloader can pay significantly less - $50 to $100 - for a tethering service that hides a malicious APK file in a legitimate app. However, such a file has a lower installation success rate compared to downloaders.
Other illegal services include VPS servers ($300) that allow hackers to redirect traffic or control infected devices, and web injectors ($25 to $80) that make sure victims visit selected websites on their infected devices and replaced these pages with malicious ones that steal credentials and other information.
In addition, in order to increase the number of downloads of a malicious application and make it more attractive to other mobile users, scammers can buy installations at prices ranging from $0.1 to $1 per unit.
To avoid falling prey to such applications, the researchers remind users not to install unknown applications and always check the required permissions to make sure that the program is not accessing more information than it needs to work. In addition, organizations are encouraged to protect developer accounts from hacking by using strong passwords and multi-factor authentication (MFA). It is also a good idea to monitor dark web forums for dumps of stolen credentials.