As mobile devices increasingly become our primary gateway for communication and commerce, threat actors seek to capitalize on the sensitive data they store. To this end, we discovered in 2022 (until 12/12/2022), there has been a massive increase in the Android dark web malware ecosystem on the underground (figure 1).
Figure 1: Mentions of Android malware on Telegram and underground markets and forums.
This includes the sale of Android malware on underground markets, in which listings rose approximately 182% from 2021 (figure 2). The most common Android malware families were trojans/RATs, ransomware, and spyware. Furthermore, the number of Android cracking packs (software packages that include various hacking tools) rose by 251%.
Figure 2: Underground market listings selling Android malware.
Figure 3: An Android cracking pack offered for sale. It includes over 200 Android and Linux tools that enable reconnaissance and hacking.
In this piece, we will take a closer look at malicious APKs (Android software), shared on the underground.
Android malware can be classified into different categories, such as adware, backdoor, file infector, potentially unwanted application (PUA), ransomware, riskware, spyware, and remote access trojans (RATs). RATs were the most popular Android malware type in 2022. This software gives an attacker full administrative privileges and remote control of a target device. Android RATs can give the attacker access to all data on the user’s device, including personal files, saved passwords and credentials, and financial information, etc. (figures 7-9).
Figure 4: Mobihok RAT offered for sale on an underground market.
Figure 5: Reaper RAT offered for sale on the illicit underground market.
Threat actors can also use many infected devices together as a botnet, with which they can carry out a DDoS attack (figure 10).
Figure 6: Android botnet called ‘Teardroid’ offered for sale.
Spyware is also available for purchase on the underground. This malicious software can monitor keystrokes and location and intercept any data transmitted to or from a device (figure 11)
Figure 7: Android Spyware offered for sale.
Finally, actors share and sell crypters, which are used to encrypt and obfucate malware payloads. Crypters assist threat actors in avoiding antivirus detection, so a good one can be expensive. For example, we discovered on crypter for sale for $10,000.
Figure 8: An APK crypter for sale for $10,000.
Bespoke malware and hacking services
While wholesale malware is relatively inexpensive, there is a significant risk that antivirus software will immediately recognize it and block it. Therefore, actors willing to spend more money can choose to pay a developer to create bespoke malware, tailored exactly to their needs.
Figure 9: Private Android malware development services.
Similarly, those that lack the skills to carry out an attack on their own can choose to buy one of many Android hacking services on the underground, paying a more sophisticated actor in exchange for gaining access to a target’s mobile device.
Figure 10: Hacking services that include zero-day Android exploit.
As mobile devices frequently contain personal and corporate accounts, mobile devices are a potential gateway for malware infiltration into an organization. Thus, individuals must be vigilant to install only trusted apps with many downloads and positive recommendations from the Google Play store. They must also be wary of clicking links from unknown senders in emails or SMS messages.
Employers, meanwhile, must design a BYOD policy and associated security measures in accordance with the overall organizational security program. Furthermore, they should monitor malware on underground channels in order to understand the emerging threats against their employees’ devices.