{"id":109452,"date":"2023-04-10T08:00:02","date_gmt":"2023-04-10T08:00:02","guid":{"rendered":"https:\/\/kasperskycontenthub.com\/securelist\/?p=109452"},"modified":"2023-04-13T12:29:30","modified_gmt":"2023-04-13T12:29:30","slug":"google-play-threats-on-the-dark-web","status":"publish","type":"post","link":"https:\/\/securelist.com\/google-play-threats-on-the-dark-web\/109452\/","title":{"rendered":"Overview of Google Play threats sold on the dark web"},"content":{"rendered":"
In 2022, Kaspersky security solutions detected<\/a> 1,661,743 malware or unwanted software installers, targeting mobile users. Although the most common way of distributing such installers is through third-party websites and dubious app stores, their authors every now and then manage to upload them to official stores, such as Google Play. These are usually policed vigorously, and apps are pre-moderated before being published; however, the authors of malicious and unwanted software employ a variety of tricks to bypass platform checks. For instance, they may upload a benign application, then update it with malicious or dubious code infecting both new users and those who have already installed the app. Malicious apps get removed from Google Play as soon as they are found, but sometimes after having been downloaded a number of times.<\/p>\n With many examples of malicious and unwanted apps on Google Play being discovered after complaints from users, we decided to take a look at what the supply and demand of such malware on the dark web looks like. It is especially important to analyze how this threat originates, because many cybercriminals work in teams, buying and selling Google Play accounts, malware, advertising services, and more. It’s a whole underground world with its own rules, market prices, and reputational institutions, an overview of which we present in this report.<\/p>\n Using Kaspersky Digital Footprint Intelligence<\/a>, we were able to collect examples of offers of Google Play threats for sale. Kaspersky Digital Footprint Intelligence allows discreet monitoring of pastebin sites and restricted underground online forums to discover compromised accounts and information leakages. The offers presented in this report were published between 2019 and 2023 and were collected from the nine most popular forums for the purchase and sale of goods and services related to malware and unwanted software.<\/p>\n As on legitimate online marketplaces, there are also various offers on the dark web for customers with different needs and budgets. In the screenshot below, you can see an offer list, which gives an overview of the number of different goods and services that may be needed to target Google Play users. The author of the list calls the prices too high; however, they do not contradict the prices we’ve seen in other dark web offers. The main products that attackers buy are developers’ Google Play accounts that can be either hacked or registered by cybercriminals using stolen identities, as well as source code of various tools that help the buyer to upload their creations to Google Play. Also, such services as VPS (for $300), or Virtual Private Server, which the attackers use to control infected phones or to redirect user traffic, as well as web-based injections are offered. A web injection is malicious functionality that monitors the victim’s activity, and if they open a web page that is of interest to the cybercriminals, an injector replaces it with a malicious one. Such a feature is offered for $25\u201380 apiece.<\/p>\n <\/a><\/p>\n A dark web service provider calls these prices too high, and indicates that they sell the same services cheaper<\/em><\/strong><\/p>\n Here are the real product prices and how much money you need if you don’t choose me<\/p>\n Let’s take a look at some specific programs and services that cybercriminals offer for sale.<\/p>\n In most of the offers we analyzed, attackers sell Google Play loaders<\/em>, programs whose purpose is to inject malicious or unwanted code into a Google Play app. This app is then updated on Google Play, and the victim may download the malicious update onto their phone. Depending on what exactly was injected into the app, the user may obtain the final payload with the update or get a notification prompting them to enable installation of unknown apps and install it from an external source. In the latter case, until the user agrees to install the additional app, the notification does not disappear. After installing the app, the user is asked for permissions to access key data from the phone, such as Accessibility Services, camera, microphone, etc. The victim may not be able to use the original legitimate app until they give the permissions required to perform malicious activities. Once all the requested permissions are granted, the user is finally able to use the app’s legitimate features, but at the same moment their devices become infected.<\/p>\n To convince the buyer to purchase their loaders, cybercriminals sometimes offer to provide a video demonstration, as well as to send a demo version to the potential client. Among the loader features, their authors may highlight the user-friendly UI design, convenient control panel, victim country filter, support for the latest Android versions, and more. Cybercriminals may also supplement the trojanized app with functionality for detecting a debugger or sandbox environment. If a suspicious environment is detected, the loader may stop its operations, or notify the cybercriminal that it has likely been discovered by security investigators.<\/p>\n <\/a><\/p>\n Google Play loaders are the most popular offer on the dark web among Google Play threats<\/em><\/strong><\/p>\n Often loader authors specify the types of legitimate apps their loaders work with. Malware and unwanted software is frequently injected into cryptocurrency trackers, financial apps, QR-code scanners and even dating apps. Cybercriminals also highlight how many downloads the legitimate version of the target app has, which means how many potential victims can be infected by updating the app with malicious or unwanted code. Most frequently, sellers promise to inject code into an app with 5,000 downloads or more.<\/p>\n <\/a><\/p>\n Cybercriminals sell a Google Play loader injecting code into a cryptocurrency tracker<\/em><\/strong><\/p>\n Another frequent offer on the dark web is binding services. In essence, these do exactly the same thing that Google Play loaders do \u2014 hide a malicious or unwanted APK file in a legitimate application. However, unlike a loader, which adapts the injected code to pass the security checks on Google Play, a binding service inserts malicious code into an app that is not necessarily suitable for the official Android marketplace. Often, malicious and unwanted apps created with a binding service are distributed through phishing texts, dubious websites with cracked games and software, and more.<\/p>\n As binding services have a lower successful installation rate than loaders, the two differ greatly in price: a loader can cost about $5,000, while a binding service usually costs about $50\u2013$100 per file.<\/p>\n <\/a><\/p>\n Seller’s description of a binding service<\/em><\/strong><\/p>\n We present for your consideration an APK binding<\/strong> service.<\/p>\n What is APK binding for? In a nutshell, binding allows attackers to install a bot to gain more trust from the victim, who is loyal to the legitimate app that the Android bot is bound to.<\/p>\n In creating this binding service, our main goal was to create a universal binder that would allow binding an Android bot to any legitimate application.<\/p>\n The main condition for enabling binding is the possibility to decompile a legitimate app and then compile it back using apktool.<\/p>\n Our binder’s main ADVANTAGES:<\/strong><\/p>\n Runtime\/scantime FUD<\/strong><\/p>\n Runtime cleanness is achieved by encrypting the Android bot with our cryptor BEFORE binding. It is also clear of alerts from Google Protect and built-in antivirus on devices from different vendors.<\/p>\n<\/li>\n Most recent Android version support<\/strong><\/p>\n The binder is compatible with Android 7 and higher<\/p>\n<\/li>\n Dynamic bot launch<\/strong><\/p>\n What is it for? After a successful installation, the victim may tap Done instead of Open, and such installation is of no use. The binder dynamically launches the bot, no matter what the victim taps.<\/p>\n<\/li>\n<\/ul>\n The binder’s main operating principle<\/strong> is that when the legitimate application is launched, it prompts the user to allow installation from unknown sources on a timer using social engineering, so that the bot can be installed. If the user rejects this, they receive another request after some time. Upon successful installation, the binder dynamically launches the bot.<\/p>\n This service is provided manually via jabber<\/strong>. The advantages and features of binding services listed in sellers’ ads are often similar to those of loaders. Binders usually lack Google Play-related features, though.<\/p>\n The purpose of malware obfuscation is to bypass security systems by complicating malicious code. In this case, the buyer pays either for processing a single application, or for a subscription, for example, once per month. The service provider may even offer discounts for the purchase of packages. For example, one of the sellers offers obfuscation of 50 files for $440, while the cost of processing only one file by the same provider is about $30.<\/p>\n <\/a><\/p>\n Google Play threat obfuscation offer for $50 apiece<\/em><\/strong><\/p>\n Hi everyone,<\/p>\n We obfuscate your APK files, so Google Play Protect lets them pass (allowlist certificate).<\/p>\n[IMG link]\n This is not our case.<\/p>\n We are now working in manual test mode, later the process will be fully automated.<\/p>\n We offer:<\/p>\n Output:<\/p>\n Price:<\/p>\n 1 file – $50<\/p>\n Service plans will be available when the site and API are ready<\/p>\n Payment accepted in BTC only<\/p>\n Contacts:<\/p>\n Restrictions:<\/p>\n To increase the number of downloads of a malicious app, many attackers offer to purchase installations by increasing app traffic through Google ads. Unlike other dark web offers, this service is completely legitimate and is used to attract as many downloads of the application as possible, no matter if it is a still-legitimate application or an already poisoned one. Installation costs depend on the targeted country. The average price is $0.5, with offers ranging from $0.1 to $1. In the screenshot below, ads for users from the USA and Australia cost the most \u2014 $0.8.<\/p>\n <\/a><\/p>\n Seller specifies the installation price for each country<\/em><\/strong><\/p>\n Increase installations of your Android app from Play Market through Google Ads (UAC). Dark web sellers also offer to publish the malicious or unwanted app for the buyer. In this case, the buyer does not interact directly with Google Play, but can remotely receive the fruits of the app’s activity, for example, all victim data stolen by it.<\/p>\n Kaspersky experts analyzed the prices in dark web ads offering Google Play-related services, and found that fraudsters accept different payment methods. The services can be provided for a share of the final profit, rented, or sold for a one-time price. Some sellers also hold auctions of their goods: since the number of items sold is limited, they are not very likely to be discovered, so buyers may be willing to compete for them. For example, in one of the auctions we found, the bidding for a Google Play loader started at $1,500, the bid increment (step) was equal to $200, and the “blitz” \u2014 the instant purchase price \u2014 was $7,000.<\/p>\n <\/a><\/p>\n Cybercriminals auction a Google Play loader<\/em><\/strong><\/p>\n Google Play Loader source, ver \u21162<\/p>\n The loader uses minimum rights, doesn’t require special rights that need permission to be granted, the traffic between the loader and the server is AES-128 encrypted with an encryption key generated once after registration, and a dynamically used initialization vector (IV). Contacts admin panel every 10 seconds. Searches for APK to install every 60 seconds. If an APK is already installed, the loader starts it one time. The loader doesn’t bother users, but subtly asks to install the app. Stable launch after reboot. Adapted for uploading to Google Play. Evasion methods for functionality restrictions on the device are implemented. Offline when the screen is off (loader doesn’t need to stay online). Anti-emulator and Google geo IP check. Blocked in CIS. Convenient admin panel.<\/p>\n The reason for selling I mentioned in the source sale topic.<\/p>\n Variant 2<\/p>\n The payload is a module (dex) file, AES-128 encrypted, injected into the legit app resources. It is loaded when the app is launched (loading into memory, decryption and dumping into the app’s internal storage). Not for Google Play, blocks 80% of apps with Class Dex Loader.<\/p>\n Start: $1,500<\/p>\n Step: $200<\/p>\n Blitz: $7k<\/p>\n The bidding ends in 12 hours after the last bid.<\/p>\n You are welcome to use an escrow service The offered blitz price is not the highest. Prices for loaders we observed on dark web forums range between $2,000 and $20,000, depending on the malware complexity, novelty and prevalence, as well as the additional functions. The average price for a loader is $6,975.<\/p>\n <\/a><\/p>\n Example of average offer for a Google Play loader<\/em><\/strong><\/p>\n However, if cybercriminals want to buy the loader source code, the price immediately rockets, reaching the upper limit of the price range.<\/p>\n <\/a><\/p>\n Seller offers a Google Play loader source code for $20,000<\/em><\/strong><\/p>\n As opposed to a loader, a Google Play developer account (either hacked or newly created by the cybercriminals) can be bought quite cheaply, for example, for $200, and sometimes even for as little as $60. The price depends on the account features, such as the number of already published apps, number of their downloads, etc.<\/p>\n <\/a><\/p>\n User wants to buy a Google Play account with access to the developer’s email<\/em><\/strong><\/p>\n In addition to the many offers for sale, we also found numerous messages on the dark web about wanting to buy a particular product or service for a certain price.<\/p>\n <\/a><\/p>\n Cybercriminal looking for a new Google Play loader<\/em><\/strong><\/p>\n <\/a><\/p>\n User wants to buy a new loader because their developer “went on a binge”<\/em><\/strong><\/p>\n Need a loader<\/p>\n Enough experience, current coder went on a binge, and we’re in search of an alternative<\/p>\n We know prices and the market, won’t rob you, from $7k to your price<\/p>\n DM your offers<\/p>\n Deposit on our side or with an escrow service Sellers on the dark web offer whole packages of different tools and services. To keep their activities low-profile, a large percentage of attackers negotiate strictly through private messages on dark web forums or personal messages on social networks and in messengers, for example in Telegram.<\/p>\n It may seem that service providers could easily deceive buyers, and make a profit from their apps themselves. Often this is the case. However, it is also common among dark web sellers to maintain their reputation, promise guarantees, or accept payment after the terms of the agreement have been fulfilled. To reduce risks when making deals, cybercriminals often resort to the services of disinterested intermediaries \u2014 escrow services or middlemen<\/a>. An escrow may be a special service and supported by a shadow platform, or a third party disinterested in the results of the transaction. Note, however, that on the dark web nothing eliminates the risk of being scammed with 100% probability.<\/p>\n We continuously monitor the mobile threat landscape to keep our users safe and informed of the most important developments. Not long ago, we published a report<\/a> about the threats smartphone users faced in 2022. However, looking at the volume of supply and demand of such threats on the dark web, we can assume that the number of threats in the future will only grow \u2014 and become more complex and advanced.<\/p>\n To stay protected from mobile threats:<\/p>\n For organizations, it is necessary to protect their developer accounts with strong passwords and 2FA, as well as monitor the dark web to detect and mitigate credential leaks as early as possible.<\/p>\nMethodology<\/h2>\n
Key findings<\/h2>\n
\n
Types of malicious services offered on the dark web<\/h2>\n
See translation<\/em><\/summary>\n
\n
\n
Google Play loaders<\/h3>\n
Binding service<\/h3>\n
See translation<\/em><\/summary>\n
\n
\n<\/details>\nMalware obfuscation<\/h3>\n
See translation<\/em><\/summary>\n
\n
\n
\n
\n
Installations<\/h3>\n
See translation<\/em><\/summary>\n
\n<\/details>\nOther services<\/h3>\n
Average prices and common rules of sale<\/h2>\n
See translation<\/em><\/summary>\n
\n<\/details>\nSee translation<\/em><\/summary>\n
\n<\/details>\nHow deals are made<\/h3>\n
Conclusion and recommendations<\/h2>\n
\n