Kaspersky experts, who analyzed the harmful application offers on Google Play sold on the Darknet, discovered that malicious mobile applications and store developer accounts found buyers for prices up to 20,000 US dollars. Researchers using Kaspersky Digital Footprint Intelligence collected samples from nine different Darknet forums where product and service transactions for malicious software were made. The report sheds light on how threats sold on the Darknet appear on Google Play, as well as the current offers, price ranges, and details of communication and agreements between cybercriminals.

Although official application stores are closely monitored, moderators may not always detect malicious applications before they are uploaded to the platform. Every year, many malicious applications manage to infiltrate Google Play, but are only discovered and removed after victims become infected. Cybercriminals come together on the Darknet, a complete digital underground world with its own unique rules, prices, and reputation hierarchy, to buy and sell malicious applications on Google Play. Furthermore, they offer additional functions to promote and even advertise their prepared applications.

Just like legal forums used to sell products, there are various Darknet offers available for customers with different needs and budgets on the Darknet platform. Cybercriminals need a Google Play account and malicious download code (Google Play Loader) to publish a malicious application on Google Play. Developer accounts are relatively cheap on the platform. A developer account can be purchased for as low as $60, and sometimes for $200. The prices of malicious loaders range from $2,000 to $20,000, depending on the complexity of the software, how modern and functional the code is, how widespread it currently is, and what additional features it has.

In most cases, distributed malicious software is hidden under cryptocurrency trackers, financial applications, QR code readers, and even dating applications. Cybercriminals also show how many times the legal version of the application has been downloaded. This reveals how many potential victims could be infected with the virus by updating and adding malicious code to the application. Recommendations mostly consist of applications with 5,000 or more downloads.

A cybercriminal is selling a Google Play threat disguised as a cryptocurrency tracker.

Cyber criminals can make it difficult for cybersecurity solutions to detect their malicious code by hiding the application code for an additional fee. To increase the number of downloads of the malicious application, many attackers also offer to purchase installations. They redirect traffic to the application through Google ads, attracting more users to download the application. The cost of installations varies by country, with an average price of $0.50 USD and bids ranging from $0.10 to several dollars.

In this method, scammers offer three different business models: a share of the final profit, leasing, or buying the entire account or threat. Some sellers even organize auctions to sell their goods, as many sellers limit the number of lots sold. In one offer examined by Kaspersky, the starting price was $1,500 USD, the auction progressed in $700 USD steps, and the buy-it-now price was set at $7,000 USD.

Darknet vendors can also offer to publish the malicious application for the buyer. This way, the buyer can obtain all the victim’s data remotely without directly interacting with Google Play. Although the developer could easily deceive the buyer at first, behaviors such as maintaining and protecting their reputation among Darknet users, guaranteeing their work, and accepting payment after the terms of the agreement are fulfilled are common. To reduce risks when making deals, cybercriminals generally use intermediary services, known as “escrow.” Escrow can be provided by a private service as a shadow platform or positioned as a third party that does not deal with the results of the transaction.

Kaspersky Security Expert Alisa Kulishenko says: “Malicious mobile applications continue to be one of the most significant cyber threats targeting users. In 2022, more than 1.6 million mobile attacks were detected through this method. Fortunately, the quality of cybersecurity solutions that protect users from these attacks is also improving over time. We have seen messages on the Darknet complaining that cybercriminals are finding it increasingly difficult to load harmful applications onto official stores. However, this also means that methods can become more sophisticated. Therefore, users should be vigilant and carefully check which applications they download.”

You can find more examples of threats sold on Google Play through the entire report on Securelist about the darknet.

Kaspersky recommends the following to stay safe from mobile threats:

Check the permissions requested by the applications you use, and think twice before granting permission to the application, especially when high-risk permissions such as Accessibility Services are involved. For example, the only permission a flashlight application needs is to turn on the flashlight. It shouldn’t even need access to the camera. A reliable security solution can help you detect malicious applications and adware on your device before they start engaging in malicious activities. iPhone users have access to some privacy controls provided by Apple. If users believe that the requested permissions are unnecessary, they can remove and block access to the applications’ photos, contacts, and GPS connections. Update your operating system and important applications as updates are released. Many security issues can be resolved by installing updated versions of software.

Source: (BYZHA) Beyaz Haber Ajansı