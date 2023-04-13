Particular types of programs called “Loaders“, sent by some bad guys, who are able to inject Trojans into Android applications are traded in the criminal underground online market (in short: in the Deep Web, not to mention in the dark) for a value of up to 20,000 dollars in order to evade Google Play Store security checks.

Where do these loaders come from and how do they work

“The most popular application categories for hiding malware [quindi questi loader] and unwanted software includes cryptocurrency trackers, financial apps, QR code scanners, and even dating apps“, has declared Kaspersky in a new report based on messages posted on online forums between 2019 and 2023.

Dropper applications are the primary means for these bad actors trying to introduce malware via the Google Play Store. Such applications often masquerade as seemingly harmless apps, with malicious updates introduced after the review process and applications that have amassed a significant number of users.

This is achieved by using a loader which is responsible for inserting malware into a clean app, which is then made available for download from the application market. Users who install the modified app are advised to grant intrusive permissions to facilitate mischievous activities.

Loader applications (and others), in some cases, also incorporate anti-scan capabilities to detect if they are being scanned or installed in a sandboxed environment and, if so, stop their operations on compromised devices.

As another option, bad actors can purchase a Google Play developer account, either hacked or newly created from vendors, for between $60 and $200, depending on the number of apps already published and downloads made.

App developer accounts that don’t have strong passwords or two-factor protections (2FA) they can be easily violated and put up for sale, allowing other bad guys to load (via loader, as the word itself suggests) malware on existing applications.

A third alternative is to use APK binding services, which are responsible for hiding a malicious APK file in a legitimate app, to distribute the malware through phishing scams and dubious websites advertising cracked games and software.

Binding services, unlike loaders, cost less as infected apps are not available through the Google Play Store; it should be noted that it is important to note that the technique has been used in the past to distribute Android banking Trojans such as SOVA and Xenomorphs.

Other illicit services offered for sale on cybercrime marketplaces include malware obfuscation ($30), web injects ($25-$80), and virtual private servers or VPS ($300), the latter can be used to scan infected devices or to redirect user traffic.

Additionally, attackers (hackers, loosely speaking) can purchase installs for their Android apps (legitimate or otherwise) through Google Ads for an average cost of $0.50. Installation costs vary according to the country of destination.

To mitigate the risks caused by Android malware, users are advised to avoid installing apps from unknown sources, carefully review app permissions, and keep their devices up-to-date.

How NOT to run into these malicious loaders

Bottom line, it’s important that you are aware of the risks associated with installing apps from unknown sources, and that you carefully review the permissions apps ask for. Also, it’s always a good idea to keep your Android device up-to-date to protect yourself from any known vulnerabilities.

Remember that cybercriminals are constantly looking for new ways to spread malware on Android devices, so your care and caution can make all the difference in keeping your device safe.