Kaspersky Lab experts analyzed advertisements for the sale of malicious applications on several dark web forums (Russian and international). Prices for the malware itself and developer accounts (required to upload apps to the store) can reach up to $20,000. Cybercriminals actively buy and sell malicious applications for Google Play, as well as updates for them, and advertise their developments on the darknet, hacker forums, and Telegram.
Malware developers promise to hide malicious code in seemingly harmless apps that mimic antiviruses, cryptocurrency asset management apps, QR code scanners, small games, and dating apps. Advertisers report how many times such apps have been downloaded to show the potential number of victims. Most often, messages mention 5,000 downloads or more.
To upload malware to the official app store, hackers buy a developer account on Google Play and a malicious code uploader. Such accounts are offered at prices ranging from $60 to $200, while the cost of malicious downloaders varies from $2 to $20,000 depending on the complexity, novelty, and uniqueness of the code, as well as additional functionality.
The exact cost of services is negotiated in each case on forums or in Telegram, which allows criminals to customize applications, equipping them with their own malicious functions. On average, downloaders sell for about $7,000, and cybercriminals offer additional services such as malware obfuscation ($8 to $30).
Ad authors offer three ways of cooperation: for a share of the final profit, by subscription, and for the full purchase of an account or malware. Some sellers even run auctions as the number of items they sell is limited. The cost of one of these proposals reviewed by the experts started at $1,500 in increments of $200. For example, the blitz purchase price on one of the sites was $7,000.
Additionally, some sellers on the dark web offer to publish the application for the buyer, so that they don’t have to interact directly with Google Play, but still receive information about the victims. To reduce risks when concluding a deal, attackers often resort to escrow services.
