Thrifty bad actors could pay as little as US$2000 ($3000) to get a malicious app into the Google Play store, according to Kaspersky researchers, but prices also range as high as $US20,000.
In research published at Securelist, the researchers analysed offers of Google Play threats for sale between 2019 and 2023, and found that the most popular app categories to hide malware were cryptocurrency trackers, financial apps, QR code scanners and dating apps.
The researchers price-benchmarked a variety of criminal services on offer: as well as pushing malware onto users’ Android devices, they looked at the cost of malware obfuscation, and advertising.
Between the two extremes, Kaspersky wrote, the average price for a compromised Google Play loader – which injects malicious code into a target app, which replaces the original on Play – is US$6975.
“However, if cyber criminals want to buy the loader source code, the price immediately rockets, reaching the upper limit of the price range," the researchers added.
The researchers said that the criminals “most frequently … promise to inject code into an app with 5000 downloads or more.”
Binding services, another popular delivery mechanism, insert malicious code in an app, but rather than distributing it through Play, attackers push the app at victims via phishing text or “dubious websites with cracked games and software”.
These services, Kaspersky said, “usually cost about US$50 to US$100, or US$65 per file” for a successful installation.
Malware obfuscation helps malicious apps get past Google Play’s checks, and Kaspersky found it is offered per application, “or for a subscription, for example, once per month.”
The advantage of subscriptions is the same as in the legal world, the researchers wrote:
"One of the sellers offers obfuscation of 50 files for US$440, while the cost of processing only one file by the same provider is about US$30.”
Advertising to get users to pick up the compromised apps varies greatly: “The average price is US$0.50, with offers ranging from US$0.10 to US$1.”
.png&h=140&w=231&c=1&s=0)
.png&w=100&c=1&s=0)
Private AI vs Public AI: How your organisation can securely adopt AI without compromise and excessive cost
iTnews Benchmark Security Awards 2025
Digital Leadership Day Federal
Government Cyber Security Showcase Federal
Government Innovation Showcase Federal
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
