Google Play loaders — used to add malicious code to apps on the Play Store — are among the most popular services offered on illegal dark web markets. Cybercriminals charge between $2,000 to $20,000 for them, Kaspersky revealed in a recent report.
The report, published on April 10, offers rare insight into Google Play Store threats from the dark web. Using Kaspersky’s Digital Footprint Intelligence, researchers combed through nine of the most popular dark web criminal forums to “collect samples of offers of Google Play threats for sale” between 2019 and 2023.
“It’s a whole underground world with its own rules, market prices, and reputational institutions,” the report said.
Google Play Loaders and Other Threats
Google’s Play Store is the largest app store, with over 3.5 million apps. While it’s “policed vigorously” and threats removed once spotted, the store’s sheer size means some malicious apps can slip through undetected.
Criminals employ various techniques to hide their tracks and snare unsuspecting victims. One way they do this is by getting legitimate apps into the Google Play Store and then using Google Play loaders to “trojanize” them. These loaders can deliver malicious code as updates to apps on the Play Store.
“To convince the buyer to purchase their loaders, cybercriminals sometimes offer to provide a video demonstration, as well as to send a demo version to the potential client,” Kaspersky explained.
Below, we highlight other products or services found on criminal dark web forums:
| Service/Product | Price | Features |
|---|---|---|
| Google Play Developer Account | $60 to $200, either hacked or newly created | Price varies with features, such as the number of downloads and published apps linked to the account |
| Installation Figure Booster | $0.1 to $1 per installation | Increases the number of downloads of a malicious app in the app store |
| Malware Obfuscation | $30 to $440, depending on the seller | Bypasses security systems by obfuscating malicious code |
| VPS (Virtual Private Server) | $300 | Used to control infected phones or redirect user traffic |
| Web-based Injectors | $25 to $80 | Replaces a legitimate web page with a malicious one |
| Binding Service | $50 to $100 per file | Hides malicious code in Google Play apps |
Alisa Kulishenko, a security expert at Kaspersky, told VPNOverview that cybercriminals often steal reputable Google Play developer accounts and app-signing keys, offering them for sale on the dark web.
Criminals can also “reverse-engineer the source code of well-known apps and alter it, adding malicious functionality, then repackaging them as seemingly legitimate apps,” Kulishenko said. QR scanners, cryptocurrency trackers, and dating apps are some of the most common types of malicious apps repackaged as legitimate apps.
The Hidden World of Dark Web Deals
Dark web sellers also offer to publish malicious apps on behalf of their clients. This means the client “does not interact directly with Google Play, but can remotely receive the fruits of the app’s activity,” such as stolen data, Kaspersky revealed.
Criminals even have payment plans for their clients. Apart from accepting a fee to rent or sell their product/service, Kaspersky said criminals may also settle for a percentage of the profit.
Some sellers even have auctions. Kaspersky researchers observed an auction where a loader sold for $7000. The price is higher when a buyer wants the source code, Kaspersky explained.
Cybercriminals prefer to negotiate deals strictly through private messages on dark web forums or anonymous messengers like Telegram.
Sellers on the dark web like to “maintain their reputation, promise guarantees, or accept payment after the terms of the agreement have been fulfilled.” Sellers may even use intermediaries or escrow services to reduce risk, Kaspersky added.
Protecting Your Devices From Play Store Threats
Kaspersky predicts that these threats will only grow in volume and complexity. The Russian cybersecurity company recommends that individuals and organizations do the following to defend their systems:
- Disable the installation of unknown apps.
- Immediately remove any app that forces you to enable installations of unknown apps.
- Consider app permissions. For instance, a flashlight app should only get access to your flashlight, not your files or camera.
- Use an antivirus solution on your mobile devices. Check out our Android malware removal guide for more security tips.
- Ensure your operating system is set to receive updates automatically. You’ll find this setting under Updates or System Updates.
- Protect your accounts with two-factor authentication and use a dark web monitoring tool.
“What users should think the most about is to carefully choose what apps do they download. For instance, they should pay special attention how many downloads this app has and what permissions this app asks, especially when it comes to high-risk permissions such as Accessibility Services,” Kulishenko said.
The dark web isn’t just a criminal haven. It also hosts rare and interesting information. Check out our list of dark web sites worth visiting for some suggestions.
