Hackers sell a variety of data, codes, and applications on the darknet, the underground web which is a beehive of activity for such players.

Cybersecurity experts at Kaspersky found that hackers are now selling malicious mobile Google Play apps and store developer accounts with prices topping $20,000.

Malware market

They found it in nine different Darknet forums where the purchase and sale of goods and services related to malware is carried out. A new report by the Moscow-based cybersecurity solution company throws light on how threats sold on the Darknet appear on Google Play. It also talks about the offers available, price range, and features of communication and agreements between cybercriminals.

“Malicious mobile apps continue to be one of the top cyber threats targeting users, with more than 1.6 million mobile attacks detected in 2022 alone,” Alisa Kulishenko, a security expert at Kaspersky, has said.

Even if official app stores are vigorously policed, moderator services can’t always catch malicious apps before they’re uploaded.

Google Play deletes a number of malicious apps, but only after victims were infected. Cybercriminals gather on the darknet to buy and sell Google Play malicious apps, and additional functions to upgrade and even advertise their creations. 

“To publish a malicious app, cybercriminals need a Google Play account and a malicious downloader code (Google Play Loader). A developer account can be bought cheaply, for US$200 and sometimes even for as little as $60. The cost of malicious loaders ranges between $2,000 and $20,000, depending on the complexity of the malware, the novelty, and the prevalence of malicious code. “Most often, the malware being distributed is suggested to be hidden under cryptocurrency trackers, financial apps, QR-code scanners and even dating apps,” the report said.

Cybercriminals boast about the number of downloads the legitimate version of that app has, indicating the potential for new infections.

Hard to detect App code

For an additional fee, cybercriminals can obfuscate the application code, making it harder to detect by cybersecurity solutions.

Hackers also offer help to gain more attention by directing traffic through Google ads and attracting more users to download the app.

“Installs cost differently for different countries. The average price is $0.50, with offers ranging from $0.10 to several dollars.

Revenue models

Cybercriminals seem to have created three revenue models – a share of the final profit, giving them on rent, and full purchase of either an account or a threat.

“Some sellers even hold auctions. The starting price in one instance was$1,500.

Darknet sellers also offer a service to publish malicious apps so that buyers don’t need to interact with Google Play while allowing them to remotely receive all of the victims’ detected data.