back to article How much to infect Android phones via Google Play store? How about $20k

If you want to sneak malware onto people's Android devices via the official Google Play store, it may cost you about $20,000 to do so, Kaspersky suggests. This comes after the Russian infosec outfit studied nine dark-web markets between 2019 and 2023, and found a slew of code and services for sale to infect and hijack the …

  1. Ken Hagan Gold badge

    "It's also a good idea to monitor dark-web forums for credential dumps, in case yours are listed."

    How does a normal user do that without opening themselves up to even more risk? Got a list of "dark web forums" that we can safely browse and that the miscreants will happily carry on using once they realise that a particular forum is listed?

    1. Anonymous Coward
      Anonymous Coward

      Of course I do, and I'll happily sell you a copy of the list for 10 Bitcoin...

    2. RichardBarrell

      Check haveibeenpwned.

    3. doublelayer Silver badge

      There are some companies that send researchers to find dumps without tipping the criminals off who will tell you if you have been found in them. Some of them consider this a free service if you could theoretically be a customer of their main business (primarily financial products). Some charge for the privilege. If you're interested in these, shop very carefully to make sure you understand what they will do and that you're not finding a scam either taking your information or just charging for an elusive promise they won't keep.

      Alternatively, you can enter addresses into, which isn't as up to date and doesn't have all breach databases stored but can give you some idea. None of these approaches is foolproof, but if it says yes, it can be useful to give you information about what happened.

  2. rafff

    "always check app permissions" ...

    ... and remove from even the pre-installed stuff anything you think is excessive, particularly phone, SMS, location, microphone and camera permissions.

  3. Dinanziame Silver badge

    How much for iPhones

    Don't tell me it's not possible

    1. doublelayer Silver badge

      Re: How much for iPhones

      Depending on what you want to do to the users, it is almost certainly possible, but it's not a one-to-one comparison with the thing discussed in this article.

      This article is mostly discussing embedding malware into an app which will install itself as another app. In that particular case, it actually isn't possible on unjailbroken IOS because Apple really hates the idea of anything installing an app which isn't them. Even on Android, the user is going to have to be tricked into undoing a security feature in order to allow this, and possibly two if they don't have the general "install apps from untrusted sources" switch turned off yet.

      However, you can always put a malicious app directly into the IOS app store. You need to be careful that Apple's automated analysis doesn't flag it, so probably put up a benign one first and introduce the malicious behavior later. That most certainly can be done. You can also put in an app which will retrieve and execute scripts from an external location, then manipulate those to produce malicious behavior. I'm sure you can buy something like that, but it's probably more restricted because it's going to require custom work to port malware to such a system whereas your Android malware can be a normal app.

  4. Catkin

    Malware gender pay gap?

    With women much better represented in the cybercrime sector than the cybersecurity sector, do these low prices mean they face a lower average income because of their choice of career? Also, within the cybercrime sector itself, do price negotiations also create discrimination (as men tend to have an unfair advantage) and what can be done to combat this? Someone should probably report these organisations to the government if they're not publishing income figures.

  5. AG2
    Thumb Down

    Kaspersky as reliable source of information?

    If you still trust Kaspersky as reliable source of information you are very naive or plain st...d. Or both. Following security advices from the company closely affiliated with Russian establishment is plain dumb.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like