Researchers analyzed both clear and dark web hacking forums and discovered that Russian language threat actors are particularly interested in buying and selling these exploits.
The Google Play app store’s security mechanisms are being compromised by cybercriminals who are developing tools to trojanize Android apps and sell them on underground cybercrime marketplaces.
A recent blog post from cybersecurity firm Kaspersky, published on April 10th, 2023, revealed findings from an extensive study of Clear Net and Dark Web forums, highlighting the vulnerabilities in app store security – Most of these forums are Russian speaking.
The blog post stated that despite the vetting process for software uploaded to Google or Apple app stores, no security solution can be considered 100% foolproof. Every scanning mechanism has inherent flaws that can be exploited by threat actors, allowing them to upload malware to Google Play.
Researchers at Kaspersky monitored activities between 2019 and 2023 and found a thriving market on the Dark Web for buyers and sellers exchanging access to app developer accounts, infected Android apps, and botnets, with prices ranging from a few hundred to several thousand dollars.
One of the methods used by attackers to infect apps with malware involves uploading a harmless app to the app store to gain approval and attract a large number of users. Once the app is approved, the attackers release an update to the app that contains malicious code.
Another method is compromising legitimate app developers by hijacking their accounts and infecting existing apps with malware. Weak password policies and lack of two-factor authentication (2FA) make these accounts easy targets for cybercriminals.
Credential leaks are also used to obtain login details to breach accounts and corporate development systems. Kaspersky researchers found that access to a Google Play account can be purchased for as little as $60, while more lucrative accounts, services, or tools come with a higher price tag.
Loaders, which deploy malicious code into Android apps, are particularly sought-after products on the Dark Web marketplace, with prices ranging from $5,000 to $20,000 depending on their capabilities and complexity.
Sellers often highlight features like user-friendly UI, victim country filters, easy-to-use control panels, and compatibility with the latest Android OS to attract buyers. Some sellers even offer video tutorials for their products.
The blog post also revealed that cybercriminals may supplement trojanized apps with functionality to detect debuggers or sandbox environments. If a suspicious environment is detected, the loader may stop its operations or notify the cybercriminal, indicating that it has likely been discovered by security investigators.
In addition to loaders, other illegal services offered on Dark Web forums include Virtual Private Servers for redirecting traffic or controlling compromised devices, with prices starting at $300, and web injectors, available for $25 to $80. Cybercriminals can also obfuscate their malware for $440, while the cost of processing a single file is around $30.
Kaspersky emphasized that while Google Play does not allow the selling of malicious applications on its platform, app takeovers and infected applications on official stores are still available due to loopholes in enterprise security and innovative hacking methods.
Therefore, users are advised to avoid installing unknown apps and to check for permissions to ensure that apps only access the required functions.
The increasing trend of cybercriminals exploiting the flaws in Google Play app store security to sell malicious apps on the Dark Web highlights the ongoing “cat and mouse game” between security scanners and attackers.
Despite efforts to patch vulnerabilities, attackers continue to find new flaws, underscoring the need for constant vigilance and strong security measures to protect app stores and users from malware threats.
