Renting Android Malware Is Getting Easier and Cheaper

With new malware-as-a-service (MaaS) platforms like PhantomOS and Nebula, cybercriminals can now attack Android devices more easily than ever. You don't have to write any code. Attackers can buy ready-to-use malware kits for as little as $300 a month. Some of these kits come with features 2FA interception, the ability to bypass antivirus software, silent app installs, GPS tracking, and even phishing overlays that are specific to a brand. The platforms come with everything they need, like support through Telegram, backend infrastructure, and built-in ways to get around Google Play Protect. This change is like what happened when ransomware-as-a-service (RaaS) first came out. These threats are no longer just for skilled cybercriminals. Anyone with a Telegram account and a few hundred dollars can get them now.

Malware Campaigns, No Skills Required

In the past, running an Android banking trojan or spyware campaign required expertise – one had to set up command-and-control servers, manage cryptographic signing of malicious apps, test against antivirus, and so on. Now, much of that heavy lifting is handled by the MaaS operators. Criminal customers simply pay a fee and receive a ready-to-deploy malicious APK, often customized to their needs.

Consider PhantomOS, a recent MaaS offering geared toward fraudsters. PhantomOS is marketed as “the world’s most powerful Android APK malware-as-a-service”. Its feature set reads like a penetration tester’s wish list: remote silent installation of apps onto the victim’s device, interception of SMS messages and one-time passcodes (OTP) for 2FA, the ability to remotely hide the malicious app to prevent the victim from removing it, and even an overlay system that loads phishing pages inside the app’s interface.

The operator of PhantomOS handles all the backend infrastructure – they set up a private server and a Telegram control bot for each client. This means even an attacker with zero coding skills can interact with their infected devices through a simple Telegram chat, issuing commands like an IT admin. According to the PhantomOS advertisement, clients can specify which institution or service they want to target (e.g. “Coinbase” or “HSBC”), and the sellers will customize the malware with the appropriate branding and phishing pages. These turnkey malware services demonstrate how MaaS lowers the barrier to entry – a determined cybercriminal can rent top-tier Android malware for a few hundred or a few thousand dollars and immediately launch campaigns that previously required a lot of experience.

Another advertisement on a cybercrime network showcases Nebula Android malware, which markets itself to a broader range of cybercriminals at a more affordable price point. Nebula’s marketing emphasizes “complete stealth” (the app runs in the background without alerting the user) and automated data theft: all SMS texts, call logs, contacts, and even GPS location from the infected phone are quietly forwarded to the attacker via Telegram. The service is sold via monthly subscription (around $300/month) and even offers discounts for multi-month packages, mirroring legitimate SaaS pricing.

The advertisement brags that no technical skill is needed – logs will simply appear in your Telegram, and updates to ensure compatibility with the latest Android OS versions are included. These cases demonstrate that virtually any financially motivated cybercriminal, even with minimal technical know-how, can now rent an Android malware package that provides professional-grade capabilities: device surveillance, keystroke logging, banking credential theft, ransomware locking, and more.

Built-in Evasion Keeps Malware Hidden

Of course, buying or renting malware is only half the battle. To be effective, it must avoid detection by security software on the device. Android MaaS operators know that customers demand FUD (fully undetectable) malware. To achieve this, many services include “crypting” tools or partner with separate crypter-as-a-service providers. A crypter is essentially a tool that encrypts or obfuscates the malware APK in such a way that antivirus scanners (and Google Play Protect) cannot recognize the malicious code. In the underground ecosystem, reliable crypting services are a hot commodity. Malware developers often bundle their own crypters or give recommendations to ensure customers can easily FUD their payloads. Some MaaS sellers periodically rotate or update the cryptographic packers on their malware so each new build has a fresh signature. Others integrate with third-party crypting services that specialize in this type of malware.

Some Android MaaS advertisements explicitly boast about their ability to bypass protections. For example, sellers may claim their trojan can disable Google Play Protect or avoid Android’s built-in malware scanning. In one forum post, an Android botnet provider listed “Play Protect bypass” as a feature, indicating that the malware can programmatically tamper with or ignore Google’s on-device protections.

Fully undetectable builds are often tested against dozens of antivirus products before release. This cat-and-mouse game of detection evasion is ongoing – as antivirus vendors learn to flag one variant, the malware authors quickly tweak their crypter or loader to restore invisibility. The result is an underground market where staying FUD is a key selling point, and subscribers expect their malware to keep slipping past defenses as long as they keep paying the subscription fee.

How Attackers Are Spreading Malware at Scale

Having a piece of malware is only useful if you can deliver it to victims. Recognizing this, the Android MaaS ecosystem doesn’t stop at the malware itself – it also offers exploit kits to spread infections at scale. One common avenue is through social engineering. Many Android banking trojans come with a library of fake login screens (overlays) for popular banking apps, payment services, and email providers. These fake overlays are activated when the malware detects the user launching a target app – for example, if a victim opens their banking app, the malware quickly displays a pixel-perfect imitation of the bank’s login screen to steal credentials. MaaS offerings often include dozens of such templates, or the operators will customize new ones for clients. The aforementioned PhantomOS, for instance, lets the buyer specify which institution or service to target.

On the more technical end, exploit-based distribution tools are also available for sale. An example is an Android ADB exploit kit that was advertised on a cybercrime forum. This tool scans the internet for Android devices that have open ADB (Android Debug Bridge) ports – a known misconfiguration mostly on older or rooted devices and Android-based TVs. The kit, sold for around $600–$750, automates the process of finding exposed devices and pushing a malicious APK onto them without any user interaction. Essentially, it’s a point-and-shoot Android botnet builder: feed it a list of IP ranges, and it will return a list of newly infected Android bots under your control. The seller even provides a mass APK deployment script, so the buyer can upload their malware payload to hundreds of discovered devices in one go. This kind of distribution framework allows malware operators to infect victims en masse through exploits, rather than relying solely on tricking users.

Other exploit kits target specific Android vulnerabilities (for example, abusing accessibility services to install apps silently, or using known rooting exploits to gain privilege). While zero-day exploits for Android are expensive and usually sold in more exclusive circles, there are plenty of cheap older exploits and automated scripts circulating that still work against unpatched devices. MaaS providers may integrate such exploits to give their malware a one-click install capability – meaning once the user is tricked into running a dropper, the malware can escalate privileges and embed itself without further user consent. The Android MaaS ecosystem effectively functions as a one-stop shop for cybercriminals: you can rent the malware, and buy the tools to distribute it widely. Whether through social engineering or technical exploits, even a solo threat actor can launch a campaign by leveraging these ready-made frameworks.

Access to Infected Devices Is Just Another Product

Perhaps the most interesting development in this ecosystem is the commoditization of infected devices themselves. So-called “install” markets let cybercriminals buy access to already compromised Android devices in bulk. This means that an attacker doesn’t even need to distribute malware or infect victims on their own – they can simply purchase a batch of existing bots from someone who specializes in malware distribution. On underground forums, you will find threads advertising things like “Android installs – first hand, choose your GEO.”

Sellers like Valhalla (above) offer to deliver a specified number of new installs in countries that the buyer selects. The pricing is typically set per 1,000 installs or per install, with rates varying by region – for example, devices in the US or Western Europe command higher prices than those in poorer regions due to their greater financial value. The advantages of buying installs are big for an up-and-coming cybercriminal. It short-circuits the most challenging phase of the attack – the infection/distribution stage. Instead of laboring to get malware onto victims’ phones, an attacker can pay a few hundred or thousand dollars and instantly have a foothold on hundreds of devices. From there, they can use the rented malware’s capabilities to harvest banking logins, send fraudulent payments, spread spam, or deploy ransomware on those phones. Some install sellers even offer geographic or device-type filters – for instance, one might buy “1000 UK installs” or “500 Android desktop installs” depending on the campaign needs.

It also creates somewhat of a collaborative economy: one cybercriminal focuses on distribution (and sells installs), and another focuses on monetizing those installs via banking fraud or extortion, etc. In effect, the barrier to entry is lowered yet again, because a newcomer can skip straight to the profitable stage by purchasing infections in bulk. In the earlier mentioned Valhalla example, the same seller also advertises a rental of an Android botnet management tool called Hydra. The Hydra Android botnet is offered with a full range of features: sending and intercepting SMS, hidden SMS functionality (to quietly grab 2FA codes), screen-lock ransomware capability, remote access (including a VNC module for live viewing/control of the device), keylogging, and a function to disable security features like Google Play Protect.

The listing prices Hydra’s rental at around $2,200 without the VNC add-on, or $3,500 with VNC (and including a server setup). This illustrates how mature the ecosystem has become – not only is the malware available for rent, but so is the very access to victims, and even complete operation-in-a-box solutions (malware + infected devices + control infrastructure) can be assembled via the marketplace. For a few thousand dollars – a sum reachable even for petty criminals – one can effectively purchase an entire fraudulent enterprise’s worth of capability.

What Organizations Can Do to Detect These Threats

Malware-as-a-service platforms like PhantomOS and Nebula make it easier than ever to deploy advanced Android malware. These services offer capabilities like SMS interception, app cloaking, and remote control - all sold as turnkey kits with infrastructure and support.

iVerify helps organizations detect signs of compromise on mobile devices by analyzing diagnostic data and logs. With user consent, this data is processed to identify anomalies, unsafe configurations, and known indicators of malicious activity. 

iVerify works without requiring MDM access or privileged device control, making it suitable for high-trust, high-risk environments. Learn more by scheduling a demo at https://iverify.io/contact/.