Recent research findings demonstrate a concerning trend in the sophistication and availability of Android malware sold on darknet forums.
As of early 2025, cybercriminals have continued developing increasingly advanced malicious tools targeting Android devices, combining multiple attack vectors into comprehensive malware packages that can evade detection while providing attackers unprecedented control over victims’ devices.
The Flourishing Underground Market for Android Malware
The underground market for Android malware has expanded dramatically in recent years, with sophisticated attack tools being readily available for purchase on darknet forums.
According to Kaspersky security researchers, malicious Android applications are being sold on the darknet for prices ranging from $2,000 to $20,000, depending on the complexity of the malware and the additional functions included.
These tools are typically disguised as cryptocurrency trackers, financial apps, QR-code scanners, or dating apps to lure unsuspecting users into downloading them.
To facilitate malware distribution, cybercriminals need Google Play developer accounts, which can be purchased for $60-$200 each on darknet forums.
The business models behind these malicious applications vary, with threat actors offering either a share of the final profit from the malware, rental of the malware, or full purchase of either an account or a threat.
The underground market for Android malware has seen substantial growth, with listings for Android malware on darknet markets increasing by approximately 182% from 2021 to late 2022.
The most common Android malware types being traded are trojans/RATs (Remote Access Trojans), ransomware, and spyware, with Android “cracking packs” (software packages containing various hacking tools) showing a 251% increase during the same period.
Android Trojan Droppers: The Gateway to Infection
A key component in the Android malware ecosystem is the trojan dropper, which serves as the initial infection vector. Android/Trojan.
Dropper is a malicious app that contains additional malicious app(s) within its payload, which it installs onto an infected mobile device.
These droppers typically store malicious APKs within their Assets Directory, an optional directory that can be added to an Android package to store raw asset files.
Malicious loader apps are being traded on criminal underground forums as a way to trojanize legitimate Android applications and evade Google Play Store defenses.
These dropper applications often masquerade as seemingly innocuous apps, with malicious updates introduced after clearing the review process and amassing a significant user base.
In some cases, users may recognize apps on their mobile device that they don’t recall installing themselves.
However, most often, the dropped apps hide in the background, unknown to the user. On the Android OS, an Android/Trojan.
Dropper infected APK is typically given a filename of a legitimate app but has a completely different package name, digital certificate, and code than the app it claims to be.
It is then distributed through third-party app stores.
The ease of infection for droppers makes it difficult to prevent them from being added to the Play Store.
Several Android malware droppers have been found transmitting banking trojans posing as app updates, with five malicious dropper apps discovered with more than 130,000 cumulative installations that distribute banking trojans like SharkBot and Vultur.
hVNC Technology: Enabling Covert Remote Control
One of the most concerning developments in Android malware is the integration of hidden Virtual Network Computing (hVNC) capabilities.
Traditional VNC software allows remote access to a machine with the user’s knowledge, but hVNC operates covertly on a hidden desktop within an infected device, allowing malicious actors to gain complete remote control over a device without the victim’s awareness.
To understand how hidden VNC works, consider the basic VNC connection model: a server (the victim’s computer) sends screen captures to a client (the attacker), reflecting the state of the controlled endpoint’s desktop.
The client provides keystrokes, mouse movements, and clicks, which the server executes. In a regular VNC connection, the victim can see everything the attacker is doing.
However, with hVNC, attackers open a hidden instance in the shape of a virtual desktop and control it invisibly behind the scenes, even as the unwitting victim continues using their computer.
Several malware families now incorporate hVNC modules, including LOBSHOT, which has been distributed through Google Ads.
According to Elastic Security Labs, more than 500 unique LOBSHOT samples have been observed since July 2022.
The main feature of this malware is its hVNC module, which creates a hidden desktop linked to the malware, allowing attackers to gain complete remote control over the infected device, enabling them to capture screenshots and use the keyboard and mouse.
In the mobile space, Android-based malware like Vultur has been found to use screen recording features to steal sensitive information, including banking credentials, and enable on-device fraud.
Distributed via the official Google Play Store masquerading as legitimate apps, this malware uses VNC’s remote screen-sharing technology to gain full visibility on targeted users.
Recent Developments in Android Malware
As of early 2025, there have been several notable developments in the Android malware landscape.
The Russian-speaking cybercrime gang Crazy Evil has been linked to over 10 social media scams, tricking users into installing malware like StealC and AMOS.
Additionally, several ransomware and cybercrime groups are leveraging advanced malware toolkits like Ragnar Loader to maintain long-term access to compromised systems.
In February 2025, a new ransomware strain called NailaoLocker emerged, targeting healthcare organizations and exploiting vulnerabilities in their systems.
This is part of a disturbing trend of increasingly sophisticated ransomware attacks targeting various sectors.
The threat landscape has also evolved to include more modular and harder-to-detect malware, with cybercriminals continuously upgrading their arsenal to hide their activities.
The traditional avenues for Android malware distribution have expanded beyond app stores to include social media platforms, instant messaging apps, and specially crafted phishing websites.
Protecting Against Advanced Android Malware
To protect against these sophisticated threats, users should:
- Avoid downloading apps from unofficial sources or third-party app stores
- Be cautious of apps requesting excessive permissions, particularly SMS access, accessibility services, or device administrator rights
- Regularly update their devices’ operating systems and applications to patch known vulnerabilities
- Use reputable mobile antivirus and security solutions that can detect and remove malware
- Be skeptical of advertisements for popular applications, as they may lead to fake websites distributing malware
For organizations, implementing comprehensive mobile threat defense solutions is crucial, as is educating employees about the risks of mobile malware and safe mobile practices.
The evolving landscape of Android malware represents a significant and growing threat to both individual users and organizations.
With malicious applications being readily available on darknet forums, increasingly sophisticated dropper mechanisms, and advanced capabilities like hVNC for covert remote control, attackers have more tools than ever to compromise Android devices and steal sensitive information.
As we move through 2025, users and security professionals need to remain vigilant and adopt proactive security measures to protect against these evolving threats.
The integration of multiple attack vectors into comprehensive malware packages highlights the need for layered security approaches that can detect and mitigate sophisticated mobile threats before they can cause harm.
Also Read:
%20(1).webp?w=1200&resize=1200,0&ssl=1&description=Recent research findings demonstrate a concerning trend in the sophistication and availability of Android malware sold on darknet forums.){kind=link}