Malware Distribution Channels¶
How Android malware actually reaches victims. Distribution is the axis orthogonal to behavior: a single family (e.g. Anatsa) ships through Play Store droppers, while another (e.g. GoldDigger) lives on Telegram, and both perform overlay credential theft once installed. This page catalogs the vectors with their moderation model, regional concentration, and documented malware history.
For compromise of legitimate distribution (SDK trojanization, build-system attacks), see Supply Chain Attacks. For the Play Store integrity signal, see Play Frosting.
Disclaimer
The sites, channels, and operator handles referenced on this page are documented for security research and defensive awareness. Many are actively hostile environments hosting malware, fraud, and illegal content. Do not visit unfamiliar mod APK sites, Telegram channels, or alternative stores on a personal device. Use a dedicated analyst environment (rooted lab device or isolated emulator) with proper containment.
External links may rot, redirect, or change ownership without notice. Treat citation URLs as historical references and verify current state before acting on them. Several stores listed below are defunct or geo-restricted; the canonical domain is retained for reference even when not reachable from every network.
Vector Categories¶
| Category | Moderation | Typical Payload | Threat Profile |
|---|---|---|---|
| Google Play | Strong (Play Protect, review, Frosting) | Droppers, conditional loaders, stalkerware | High-volume but short-lived; bankers use droppers |
| Mod / cracked APK sites | None | Trojanized mods, adware SDKs, banking trojans | Long-lived; user actively bypasses warnings |
| Regional alternative stores | Variable | Repackaged apps, regional bankers, spyware | Significant in markets where Play is restricted |
| Direct messaging (Telegram, WhatsApp) | None | RATs, banking trojans, NFC relay tools | Common for targeted campaigns and MaaS sales |
| Smishing / phishing pages | None | Banking trojans, fake updates, fake delivery apps | Primary vector for SMS bankers |
| Malvertising | Ad network dependent | Adware, scareware, fake AV | Drive-by sideload prompts |
| Fake update prompts | None | Droppers, RATs | Often paired with watering-hole sites |
| Cloud file hosts as relay | None | Final-stage APK after smishing/social chain | The actual host at the end of a clean-looking link |
| GitHub Releases | Platform-level only | Open-source RATs, stealer builders | Builder/operator distribution, sometimes end-user |
| SEO-poisoned search results | None | Trojanized installers, fake official sites | Search-driven equivalent of malvertising |
| Pre-install / firmware | None (vendor-trusted) | Adware, click-fraud, persistent backdoors | OEM/ODM supply-chain compromise |
| USB / PC-assisted sideload | None | Stalkerware, employer monitoring tools | Requires physical or social access |
Google Play¶
Despite Play Protect, Play Integrity, and the Frosting attestation, Play remains a major distribution channel for sophisticated malware. Operators do not ship the payload directly: they ship a clean dropper that fetches and side-loads the malicious second stage post-install.
| Technique | How | Examples |
|---|---|---|
| Dropper apps | Benign-looking utility passes review, then prompts user to install a second APK via session-based install or accessibility | Anatsa (ThreatFabric, Zscaler ThreatLabz), SharkBot (NCC Group / Cleafy), Vultur (Brunhilda dropper, ThreatFabric), Necro (Kaspersky Securelist) |
| Conditional activation | Malicious behavior gated by remote flag, region, language, or time, so reviewers see a clean app | Joker (Zscaler ThreatLabz), Necro (image-steganography payload gating, Kaspersky) |
| Post-publish update abuse | Initial submission is clean; a later version on the same listing introduces malicious code | Historic SharkBot, Anatsa campaigns |
| SDK trojanization | Legitimate developer integrates a poisoned third-party SDK | CooTek BeiTaAd (Lookout, 2019, 238 apps / 440M installs), SimBad / RXDrioder SDK (Check Point, 2019, 210 apps / ~150M installs), Coral SDK (Necro, Kaspersky) |
Sample sourcing: APK pull from a rooted device via pm path and adb pull, or via mirror sites once Google removes the listing.
Some operators ship parallel iOS and Android variants from the same back-end so the Android-only investigator misses half the campaign: SparkKitty / SparkCat shipped on both App Store and Play (Kaspersky Securelist), and the GoldFactory crew delivered an iOS variant of GoldPickaxe through TestFlight after the public-store route was burned (Group-IB on GoldFactory iOS).
Mod / Cracked APK Sites¶
Sites that host premium-unlocked, ads-removed, or feature-modded versions of popular apps. The user actively bypasses Play and accepts an unsigned-or-resigned APK from an unknown party, which makes this category one of the most reliable malware vectors.
| Site | Notes | Documented Abuse |
|---|---|---|
| HappyMod | Largest English-language mod aggregator; primary domain frequently dead and rotates across mirrors (happymod.com, happymod.io, happymod.net, happymod.pro, m.happymod.com) | Repackaged apps with banking trojans, adware SDKs |
| liteapks.com | English-language mod aggregator | Surfaced operationally in multiple repack analyses; no first-tier vendor citation |
| GetModsAPK | High-volume mod aggregator, English | Trojanized game mods, adware |
| Mundoperfecto | Spanish-language mod/crack site | Latin American adware and banking trojan distribution |
| AC Market | Long-running pirated-app aggregator | Adware, MobiDash repackaging-based distribution |
| RexDL / ApkDone / ModDroid | Mid-tier mod aggregators | Mixed adware and SMS-fraud apps |
| Modder brand pages (HEROEXE, etc.) | Individual-author distribution under a brand | Often the upstream source for aggregator sites |
| AN1.com / ApkMody | Major English-language mod aggregator pair | Repackaged games and utilities with bundled adware SDKs |
| Modyolo | Mid-tier English-language aggregator | Game mods, adware repackaging |
| Platinmods | Forum-based, game-mods focus | Cracked game builds, in-app-purchase bypass modules |
| BlackMod | Game-cheat and mod community | Mod ZIPs and trainer APKs |
| Lulubox | In-app patcher rather than a download site; primary domain rotates across mirrors (lulubox.org, lulubox.pro, luluboxapp.com, etc.) | Distributes mods through runtime patching; distinct model that lives inside the device |
| 5play.ru | Russian-language mod aggregator | Cracked premium apps, mods, adware repackaging |
| Trashbox.ru | Russian-language mod aggregator | Cracked premium apps and mods, large enthusiast catalog |
| 4PDA forum | Russian-language modding and reversing forum | Historically one of the largest Russian-language sources for mods and cracks; upstream for many smaller aggregators |
| Androeed.ru | Russian-language mod aggregator | Mods, cracked premium builds |
| ApkAward / ApkDoctor / ApkSos | Minor English aggregators | Long tail of mod and crack mirrors |
| ModYukle | Turkish-language mod aggregator | Mods and cracks for Turkish-speaking audience |
| XDA Forums | Historic ROM/mod forum | Declining as a distribution channel but still a source for custom ROMs, recoveries, and mod APKs |
| Panda Helper | Sideload-style installer | Bundles game mods and pirated apps through its own installer client |
| GameGuardian distribution sites | Memory-editor cheat tool plus surrounding ecosystem | The tool itself is benign but mirror sites and "cheat pack" repacks routinely bundle adware and stealers |
The Russian-language mod ecosystem (4PDA, Trashbox, 5play.ru, Androeed) is one of the largest non-English mod ecosystems and historically a major upstream source for English-language aggregators, which mirror Russian-origin mods after light rebranding.
Signing model: most sites re-sign the modded APK with their own key, breaking Play Frosting and the original developer signature. Some preserve the original signature and inject via zip alignment / v1 signature scheme tricks; these are rarer.
Notable campaigns:
- FMWhatsApp + Triada (2021): Modded WhatsApp build distributed via mod APK sites carried a Triada payload injected through a malicious advertising SDK. Kaspersky writeup.
- Necro (2024): Spotify, WhatsApp, and Minecraft mods on third-party sites carried the Necro loader in parallel with its Google Play presence. Kaspersky Securelist.
- MobiDash (ongoing since 2015): Legitimate apps repackaged with MobiDash ad SDK and distributed through aggregator sites.
IPTV-piracy lure sites (Mobdro-clone pages advertising "Mobdro Pro IP TV + VPN" bundles) have been used to drop the Klopatra banker; see Cleafy's Klopatra writeup.
Regional Alternative App Stores¶
Where Google Play is restricted, blocked, or culturally unpopular, regional stores dominate.
| Store | Region | Moderation | Notes |
|---|---|---|---|
| Aptoide | Portugal / global | Community moderated | Repackaged-app history; mixed-quality vetting |
| Cafe Bazaar | Iran | Iranian state-aligned review | Primary Android store in Iran; banking trojan distribution documented |
| Myket | Iran | Iranian moderation | Smaller Iranian competitor; similar threat profile |
| Xiaomi GetApps | China + global Xiaomi devices | Xiaomi-operated | Preinstalled on Xiaomi/Redmi; Chinese-market malware presence |
| Huawei AppGallery | China + post-2019 Huawei devices | Huawei-operated | Significant alternative after Huawei lost Play Services |
| Samsung Galaxy Store | Global Samsung devices | Samsung-operated | Preinstalled; Joker and adware seen historically |
| 9Apps (defunct) | India / SE Asia | UCWeb / Alibaba | Wound down after India's June 2020 ban on 59 Chinese apps (which included UCWeb properties); historically lower-moderation, adware-heavy |
| F-Droid | Global FOSS | Reproducible builds, F-Droid signs | Generally clean; theoretical abuse vector is repo poisoning or malicious upstream commits to a packaged FOSS project |
| APKPure | Global | Light moderation | Has shipped repackaged builds carrying Triada variants in the past |
| Uptodown | Global, Spanish-speaking strong | Light moderation | Mirrors a wide range of APKs; weak attribution to original developer |
| GetJar | Global, declining | Variable | Historic adware vector |
| One Store | Korea | Carrier consortium review | SK Telecom + KT + LG U+ + Naver joint venture; preinstalled on Korean carrier devices and the primary domestic alternative to Play |
| RuStore | Russia | VK-operated, state-mandated | State-mandated preinstall on devices sold in Russia since 2023; the only state-mandated preinstall store and a structural channel for Russia-localized apps cut off from Play. NashStore operates alongside it as an independent alternative |
| NashStore | Russia | Independent | Smaller Russian alternative launched after 2022 sanctions, narrower catalog than RuStore |
| Yandex Store (defunct) | Russia | Yandex-operated | Wound down around the 2022 Yandex divestiture; preceded RuStore and shipped on some Yandex-branded hardware |
| TapTap | China + Asia / global | Curated, Western-style discovery | Game-focused store; large in China and SE Asia, English-language global build available |
| QooApp | Hong Kong / Asia | Light moderation | Asian games and manga; popular sideload route for Japanese and Korean region-locked titles |
| Indus Appstore | India | PhonePe-operated | PhonePe (Walmart-owned) Indian-government-aligned alternative, vernacular-language discovery |
| Amazon Appstore | Global | Amazon review | Preinstalled on Fire devices, available as APK on Android; historic adware and PUA presence in lower-tier categories |
| SlideMe | Global, declining | Light | Small global store, declining |
| Mobango | Global, declining | Light | Declining mid-tier global store (primary domain mobango.com intermittently unreachable) |
Many regional store APKs are signed by the store rather than the original developer, which means Play Frosting does not apply and signature-based attribution must rely on the store's own keys.
Aurora Store and the older Yalp Store are open-source Play clients that fetch APKs from Google's CDN using anonymous or user accounts; resulting installs carry valid Frosting metadata but lose Play Store install-source provenance on the device side, which complicates source attribution during incident response.
Sibling FOSS clients in the F-Droid orbit include Neo Store and Droid-ify (modern F-Droid clients), the IzzyOnDroid Repo (broader inclusion criteria than F-Droid main), Obtainium (pulls directly from GitHub, GitLab, and developer pages), Accrescent (security-hardened beta store with reviewed apps), and F-Droid Basic (stripped client shipped by default on CalyxOS). Each loosens the moderation profile in a different direction; Obtainium in particular shifts trust entirely to the upstream developer's release artifact.
Carrier Stores¶
Carrier-operated stores survive in markets where the carrier negotiates a billing relationship around app installs. BusinessofApps' app store directory tracks the current catalog.
| Store | Region | Operator | Status |
|---|---|---|---|
| au SmartPass / au Market | Japan | KDDI | Active (Upswell) |
| App Pass | Japan | SoftBank | Active (Upswell) |
| Sugotoku / dmarket | Japan | NTT Docomo | Active (Upswell) |
| MTN Play / MTN App Store | Nigeria, Ghana, South Africa | MTN Group | Active (BusinessofApps) |
| Airtel App Central | Nigeria, Kenya, India | Bharti Airtel | Declining (BusinessofApps) |
| Claro Apps | Mexico, Brazil, Colombia | América Móvil (Claro) | Active (BusinessofApps) |
| SK T Store, KT Olleh Market, LG U+ Store | South Korea | SKT / KT / LG U+ | Merged into One Store in 2016 |
In the US, Digital Turbine (descended from Appia / PocketGear) runs the Single Tap and Ignite preload pipelines used by AT&T, Verizon, and T-Mobile for OEM-bundled installs and monetized recommendation slots; it is the active carrier-aligned distribution backbone in North America and a recurring channel for unwanted but technically authorized bloatware.
Defunct but Historically Notable¶
| Store | Years | Note |
|---|---|---|
| Handango / Handango InHand | 1999-2013 (Handango founded 1999; InHand launched 2003) | Among the earliest third-party Android stores; PalmOS heritage (Wikipedia) |
| PocketGear / Appia | 1999-2015 | Became Digital Turbine (Wikipedia) |
| AndAppStore | 2009-2013 | Early direct-pay alternative (AndroidGuys via Wayback) |
| Opera Mobile Store | 2011-2023 | Opera Software; acquired by Bemobi in 2017, fully decommissioned March 2023 |
| Mobogenie | early 2010s, since defunct | India / global; declined into inactivity due to business failure (Medium analysis) (domain may still resolve but no active store) |
| MoboMarket | mid-2010s, now defunct | Baidu-operated Chinese export store |
| Verizon V CAST Apps | 2009-2013 | US carrier, defunct (Light Reading) |
| Vodafone / Orange / Telefonica / DT WAC | 2010-2013 | Cross-carrier consortium that never reached production (Light Reading) |
| MiKandi | launched 2009, since wound down | Adult content (Wikipedia) |
Specialty and Web3¶
Web3 distribution lives largely outside Play: the Solana dApp Store ships on Solana Mobile Saga and Seeker handsets (since 2023) and DappRadar acts as a cross-chain discovery layer. itch.io hosts indie game APKs for sideload. Enterprise internal-distribution platforms such as Applivery, Appcircle, and Updraft are not malware vectors per se but round out the alternative-distribution surface and occasionally surface in incident response when an attacker stages a build for a single victim organization.
Chinese Domestic Stores¶
Google Play is blocked in mainland China, so the Android app market is fragmented across vendor and platform stores. These are the primary distribution surface for China-targeting malware including domestic banking trojans, Triada variants spread through repackaged apps, and surveillance ware against domestic targets.
| Store | Operator | Notes |
|---|---|---|
| Tencent Yingyongbao (yingyongbao.qq.com) | Tencent | Largest Chinese third-party store, deep WeChat integration |
| 360 Mobile Assistant (zhushou.360.cn) | Qihoo 360 | Tied to 360 mobile security suite |
| Baidu Mobile Assistant (shouji.baidu.com) | Baidu | Search-driven discovery, large catalog |
| Wandoujia (mostly defunct) (wandoujia.com) | Alibaba | Acquired by Alibaba and largely wound down; sister to 9Apps |
| Coolapk (coolapk.com) | Independent | Smaller but enthusiast-leaning, hosts unmodified upstream APKs |
Vendor stores dominate device-bundled flows. Beyond Huawei AppGallery (which Honor devices share through the shared BKB / Huawei lineage) and Xiaomi GetApps, the major OEM-operated stores include OPPO App Market, Vivo App Store, OnePlus App Market, and Realme's bundled store (the BBK-group brands OPPO, Vivo, OnePlus, and Realme each preinstall their own market on domestic units even where catalogs overlap). The third-party stores above feed independent users and rooted devices. Review rigor varies widely and the same package name often appears across half a dozen stores at different versions, which complicates IOC tracking.
Direct Messaging (Telegram, WhatsApp, Discord, Signal)¶
Messaging platforms are now a primary delivery channel for both targeted attacks and MaaS distribution. Telegram in particular hosts both end-user lures and the operator-side marketplace, and warrants its own breakdown.
| Use | How | Examples |
|---|---|---|
| Direct victim delivery | Operator sends APK or download link via DM or group chat | GoldDigger / GoldPickaxe delivered through Zalo, LINE, and Telegram by GoldFactory (Group-IB, Group-IB GoldDigger), SpyNote campaigns |
| Phishing channel hand-off | Smishing leads to a Telegram bot or channel that hosts the APK | Common in LATAM banker campaigns |
Telegram as MaaS Marketplace¶
Android MaaS operators run public "storefront" channels for advertising and a gated, paid-buyer channel for builds, panel access, and updates. Channels rotate when banned, often under near-identical handles. Researchers have repeatedly named operator personas where they could be observed across multiple campaigns:
| Handle / Channel | Family | Source |
|---|---|---|
| "Architect" | Octo / Octo2 | ThreatFabric on Octo2 |
| Cerberus auction + leak channels | Cerberus | ThreatFabric on Cerberus demise |
| "DukeEugene" lineage | ERMAC / Hook | ThreatFabric on Hook |
| BingoMod operator channels | BingoMod | Cleafy on BingoMod |
| Crocodilus operator promotion | Crocodilus | ThreatFabric on Crocodilus |
| SuperCard X relay storefront | SuperCard X | Cleafy on SuperCard X |
| ClayRat update channels with forged comments and view counts (Russian-targeted) | ClayRat spyware | Zimperium on ClayRat |
| Mamont private buyer chats + Bot-API C2 | Mamont banker | Kaspersky / Securelist on Mamont parcel-tracking lure |
| "Trading & Fintech"-themed channels | DarkMe / fintech lures | Kaspersky press on global Telegram fintech campaign |
| MuddyWater / Static Kitten Farsi anti-regime channels | DCHSpy (Iranian MOIS) | The Hacker News on DCHSpy |
| "OtpSteal" fake-VPN operator, OTP exfil to Telegram bot | Trojan-Spy.AndroidOS.OtpSteal.a | Kaspersky Q2 2025 mobile statistics |
| Czech PWA-phishing operator group | Czech WebAPK banking phish | ESET WeLiveSecurity on PWA phishing |
Telegram for Mod APK Distribution¶
Many modder brands run Telegram-only or Telegram-primary distribution, both to dodge takedowns of mirror sites and to gate "premium" builds behind paid bot subscriptions. The pattern is widely observed across HappyMod-adjacent mod brands but vendor research rarely names individual modder channels by handle.
Telegram for NFC Relay Tooling¶
NFCGate-derived clients and SuperCard X-style relay apps are typically delivered via Telegram chats from the operator to the muled phone, since their use is intrinsically real-time and tied to an operator handler. Cleafy's SuperCard X writeup documents Chinese-speaker MaaS sales and Telegram-mediated client distribution.
Telegram as Smishing Payload Host¶
After an SMS click, the landing page or shortlink often resolves to a Telegram channel or bot that serves the APK directly. The reputable t.me TLD survives URL filtering longer than a throwaway domain, and the bot can gate the download on a victim-supplied "campaign code" to thwart researchers. Kaspersky's Mamont SMS-banker analysis and the Roaming Mantis / MoqHao lineage both document Telegram hand-off stages in active campaigns.
Telegram Bot API as Combined Distribution and C2¶
A subset of families uses the Telegram Bot API as both the APK host and the live C2 channel, so the channel ID is the entire infrastructure footprint. Rafel RAT (Check Point Research coverage) and several open-source RATs forked from Telegram-RAT projects on GitHub follow this model. BingoMod operator panels likewise overlay distribution and command on Telegram bot plumbing.
Ecosystem Structure¶
The standard pattern is a public storefront channel for marketing and proof-of-success videos, plus a private, invite-only buyer channel for builds, panel credentials, and updates. When Telegram suspends a channel, operators republish under a near-identical handle and link forward from older channels they still control. This rotation is the single biggest reason vendor IOC lists go stale fast on the Telegram side.
Telegram's combination of large group capacity, file hosting, and bot scripting makes it the closest equivalent to an unmoderated app store with built-in C2 plumbing.
Asian Messengers Beyond Telegram¶
Regional messengers carry banker and spyware payloads inside markets where Telegram penetration is low. The delivery model is the same as Telegram (DM hand-off after an initial SMS or social lure) but each platform's takedown latency and operator demographics differ.
| Messenger | Region | Example Campaign | Citation |
|---|---|---|---|
| LINE | Japan / Korea / Taiwan / Thailand | SpyAgent KR chain: SMS → LINE → phishing site → APK | McAfee Labs on SpyAgent |
| KakaoTalk | South Korea | NK-defector and journalist surveillance via social-network hand-off | McAfee Labs on KakaoTalk targeting |
| Zalo | Vietnam | GoldDigger / GoldPickaxe (GoldFactory) | Group-IB on GoldDigger |
| WhatsApp (self-propagating, hijacked sessions) | LATAM, global | Maverick / SORVEPOTEL / Astaroth (STAC3150) | Kaspersky on Maverick, Sophos on WhatsApp to Astaroth, Trend Micro on self-propagating WhatsApp malware |
PWA / WebAPK Phishing Apps¶
ESET documented progressive web app and WebAPK installs that masquerade as Play-Store-installed apps and bypass the standard sideload warnings, used against customers of Czech, Hungarian, and Georgian banks. The WebAPK is generated by Chrome itself from an attacker-controlled manifest, signed by Google, and shows the Play install-source indicator on the device, which makes it harder to distinguish from a real Play install without inspecting the manifest URL and the package name pattern.
Paid Social Ads as Distribution¶
Distinct from generic ad-network malvertising: operators run paid Meta / Facebook ad campaigns aimed directly at the target demographic, with creative tuned for legitimacy and cleared through Meta's review.
| Family | Lure | Citation |
|---|---|---|
| Brokewell variants | TradingView Premium disguise, 75+ ads reaching tens of thousands of EU users | Bitdefender Labs on Meta malvertising |
| Crocodilus variants | Global-expansion phase delivered through Meta ads | ThreatFabric on Crocodilus going global |
Social-Video Lure Chains¶
TikTok videos and other short-form social-video platforms surface as a discovery channel for malware lures. Trend Micro tracked TikTok creators directing viewers to infostealer downloads under a "free software" pretext; the documented chain primarily delivers desktop stealers but the same operator infrastructure has been observed staging mobile-targeting variants (Trend Micro on TikTok infostealer videos).
Network-Layer / Carrier-Path Injection¶
A state-level vector, not a commodity one. Targeted spyware (notably Predator) has been delivered via a privileged-intermediary man-in-the-middle on the carrier path, where the network operator replaces a plaintext HTTP response with an exploit chain that lands the implant without any user interaction or social lure. The technique requires either lawful access to carrier infrastructure or a separately compromised upstream router and is documented in SecurityWeek's coverage of Predator iOS / Android zero-day MITM delivery.
Fake Official Storefront Sites¶
Standalone phishing sites that impersonate Galaxy Store, Google Play, or RuStore, distinct from the fake-update-prompt pattern that piggybacks on a compromised page. The site reproduces the official chrome and serves an APK from the same domain. ESET documented UAE-targeted privacy-app phishing using fake official storefronts, and the FireScam operator staged a fake RuStore on a github.io page that pushed an information-stealer with spyware capabilities (CYFIRMA on FireScam).
Smishing and Phishing Pages¶
SMS-delivered links remain the dominant delivery vector for regional banking trojans.
| Lure | Target | Examples |
|---|---|---|
| Fake parcel delivery (USPS, FedEx, DHL, local post) | English/European/Asian users | FluBot (NCC Group / Cleafy lineage), TeaBot (Cleafy lineage to Anatsa), Roaming Mantis / MoqHao (Kaspersky Securelist, McAfee Labs) |
| Fake bank security alert | Customers of specific banks | Cerberus, Anubis, regional bankers |
| Fake government / tax / fine | Country-specific (e.g., DGT in Spain, INPS in Italy) | SuperCard X NFC relay MaaS (Cleafy), various LATAM bankers |
| Fake voicemail / missed call | English-speaking users | FluBot, Hydra |
| Romance / investment lure | Targeted, often via dating apps then handoff to SMS | Crocodilus (ThreatFabric, global expansion), pig-butchering operations |
The landing page typically detects the User-Agent, serves an APK only to Android visitors, and presents iOS users a credential phishing page instead.
Malvertising¶
Ad networks deliver malware in two modes:
| Mode | Mechanism |
|---|---|
| Direct payload | Ad creative includes a download link to an APK; user is prompted to sideload |
| Drive-by redirect | Ad redirects through a chain ending at a fake update or fake app store page |
Search engine ads (Google Ads, Bing Ads) buying brand keywords ("WhatsApp download", bank names) have repeatedly been used to land users on cloned official-looking sites that serve trojanized APKs. Recent documented examples include Bitdefender Labs' coverage of Brokewell crypto-stealer delivered through Meta malvertising and Cleafy's analysis of Klopatra distribution through fake software pages.
Fake Update Prompts and Watering Holes¶
A compromised or attacker-controlled site shows the user a fake "your browser is out of date" or "Flash Player update required" prompt that downloads an APK. Sub-variant: legitimate site is hacked and serves the prompt only to mobile User-Agents. Common in pre-2020 adware campaigns; still observed in regional campaigns and as a tail-end stage of smishing/malvertising chains.
Cloud File Hosts as Relay¶
Smishing and malvertising chains rarely host the APK on the lure domain itself. The final hop typically lands on a reputable file host so the download URL passes URL reputation checks and survives takedown longer than a throwaway attacker domain.
| Host | Why operators use it |
|---|---|
| MEGA | Encrypted client-side, hard to scan in transit, generous free storage |
| MediaFire | Long-lived links, low takedown friction, used by malware crews and pirated-content channels alike |
| Google Drive | Trusted TLD, bypasses naive URL filters |
| Dropbox | Similar trust profile, public-share links |
| Discord CDN | Used heavily for stealer and RAT builds; lure delivery via Discord DMs |
Documented Android-side abuse includes Roaming Mantis / MoqHao landing pages staging APKs behind smishing redirectors, and Trend Micro's analysis of fake installer/cracks chains terminating on MediaFire and similar hosts. Treat any APK fetched from a generic cloud host as untrusted by default.
Firebase (Realtime DB, Firestore, FCM)¶
Firebase is the single most-abused Google-fronted backend for Android malware: operators use Firestore documents for runtime configuration, Realtime DB for C2 message buses, FCM for push-delivered commands, and Storage buckets as the APK CDN. Documented families include FireScam (CYFIRMA), KoSpy (Lookout on the North Korean APT37 attribution), the DoNot Firestarter loader (Cisco Talos), PJobRAT 2025 (Sophos), the BianLian dropper (ThreatFabric), and an Indian energy-subsidy banker (McAfee Labs). URLhaus tracks live Firebase Storage payload URLs and is a practical IOC source for active campaigns.
Hugging Face¶
Repos abused as an APK CDN with 15-minute rotation, 6,000+ commits over 29 days in a single campaign tracked by Bitdefender Labs.
AWS S3¶
Used as the primary APK and C2 host for South-Korea-targeted spyware since June 2024. TheTruthSpy stalkerware also exposed exfiltrated data via an unsecured S3 bucket (TechCrunch on TheTruthSpy).
Cloudflare Workers, Pages, R2, and TryCloudflare¶
Documented as rising malware delivery infrastructure: Fortra on Cloudflare Pages and Workers phishing abuse. Cloudforce One disclosed a fake Red Alert spyware operation fronted by Cloudflare (Cloudflare blog malware tag). TryCloudflare tunnels (*.trycloudflare.com) regularly front the C2 hop in commodity RAT and stealer chains.
GitHub Pages¶
*.github.io as the phishing landing host; the FireScam fake-RuStore page (cited above) is the canonical Android example.
Compromised WordPress Sites¶
Wpeeper uses compromised WordPress sites as a disposable C2 relay layer, and PJobRAT's 2025 campaign (cited above) used WordPress hosts for APK staging. The pattern is attractive because the operator pays nothing, the domain has organic reputation, and takedown depends on the unsuspecting site owner.
Telegra.ph¶
Used as an APK redirector in delivery chains (ANY.RUN sample). The platform's loose governance enables long-lived crypto and credential scams (KnowBe4).
Decentralized Hosts (IPFS, TON)¶
IPFS gateways host malware payloads across many families; Android-specific attribution is thinner than Windows but the gateway hop appears regularly in mobile chains. See Cisco Talos on IPFS abuse, Unit 42 on IPFS used maliciously, and Netcraft on disrupting IPFS phishing.
The TON blockchain has been adopted for covert C2 by TrickMo, which uses TON DNS and storage primitives so the C2 address survives takedown of any conventional resolver (BleepingComputer on TrickMo adopting TON).
GitHub Releases¶
Public GitHub repositories ship full builds of Android RATs and stealers, intended as "research" or "educational" projects. Operators clone or fork these and either use the published Releases APKs directly or rebuild after light customization. GitHub also serves as a secondary delivery host for individual campaigns when actors stage APKs in Releases of throwaway accounts.
| Repo / Project | Family | Citation |
|---|---|---|
| AhMyth | AhMyth | SonicWall on trojanized AhMyth in legitimate apps |
| Rafel RAT | Rafel | Check Point Research on Rafel |
| L3MON → XploitSPY fork | XploitSPY / L3MON lineage | ESET on Exotic Visit / XploitSPY |
| SpyNote / CypherRat source dump | SpyNote.C surge | BleepingComputer on SpyNote source leak |
| Cerberus source leak mirrors | Cerberus | ThreatFabric on Cerberus demise |
| CraxsRat v6.8 source leak | CraxsRat (EVLF DEV) | Group-IB on CraxsRat / Malaysia |
| SilverRAT source (taken down) | SilverRAT | HackRead on SilverRAT leak |
| Ghost Framework | ADB post-exploit toolchain | ESET on Exotic Visit using Ghost |
| DogeRAT | DogeRAT | Infosecurity Magazine on DogeRAT |
| FUD Android RAT 2025 | unattributed | Cybersecurity News on FUD Android RAT |
| "Anatsa update" repos | Anatsa second stage | Zscaler ThreatLabz on Anatsa |
| PhantomLance fake-developer profiles | PhantomLance (APT32) | Kaspersky Securelist on PhantomLance |
URL shorteners are recurring redirection-chain components: bit.ly was used by SharkBot smishing (NCC Group), MoqHao smishing (McAfee Labs on Roaming Mantis), and FluBot (Dark Reading on FluBot disruption).
SEO-Poisoned Search Results¶
Distinct from paid malvertising: actors rank attacker-controlled pages organically for high-intent queries ("WhatsApp APK download", "
Niche-Vertical Lure Sites¶
Several user communities have parallel distribution ecosystems that rarely overlap with mainstream malvertising. Adult content sites push trojanized "premium player" APKs and ransomware-style screen lockers (Koler lineage). Streaming and IPTV piracy sites distribute media-player APKs that bundle adware SDKs. Game-cheat communities (Free Fire, PUBG, CoD Mobile mods) are a primary vector for stealer and RAT installs through Discord and Telegram-linked sites. "Earn crypto" and airdrop-claim sites push wallet-draining APKs; the Crocodilus seed-phrase-parser feature targets this victim pool directly.
Pre-install / Firmware-Level Distribution¶
OEM/ODM supply-chain compromise places the payload in the device's system partition before the user takes it out of the box. The malware is signed by the platform key, runs as system, survives factory reset, and cannot be removed without re-flashing. Documented operations:
- Triada preinstalled on counterfeit and budget Android phones: rebuilt system images shipped from suspect ODMs carried Triada at the firmware level. Kaspersky on Triada in fake smartphones and Kaspersky / Dr. Web's 2017 firmware-level Triada findings.
- Cosiloon: pre-installed dropper on hundreds of low-cost Android models (ZTE, Archos, myPhone, others), firmware-level, irremovable by users. Avast disclosure.
- Chamois: ad-fraud and SMS-fraud botnet originally detected and disclosed by Google in 2017; subsequent Google Android Security Year-in-Review 2018 reported that Chamois had reached 7.4M affected devices, many via preinstalled supply-chain compromise (see also Duo Decipher coverage).
This vector is invisible to Play Protect's typical detection surface since the apps come from the device itself, signed by the OEM, and often live in /system/priv-app outside user control.
USB and PC-Assisted Sideload¶
Some malware reaches the device via a paired PC rather than the device itself.
| Vector | Examples |
|---|---|
| Stalkerware installed by an abuser with physical access | FlexiSpy, mSpy, Cerberus stalker |
| Employer monitoring during device provisioning | Commercial MDM-adjacent stalkerware |
| Carrier/repair-shop preinstall | Triada supply-chain variants in low-end devices |
These are out of scope for most analyst workflows but matter for stalkerware research and supply-chain investigations.
Sourcing Samples¶
| Source | Notes |
|---|---|
| VirusTotal | Primary, requires intel subscription for downloads |
| MalwareBazaar | Free, well-tagged |
| Koodous | Android-specific |
| APKMirror | Legitimate mirrors of original signed APKs (useful as the "clean" comparison) |
| Pull from rooted device | pm path <package> then adb pull for in-the-wild samples |
| Mod APK sites | Direct download for repackaging analysis; treat as hostile artifacts |
| Telegram MaaS channels | Operator-side builders and panels (operational risk; analyst tradecraft required) |
When sourcing from any unmoderated channel, hash and quarantine immediately, never open the APK directly on an analyst workstation, and prefer sandbox-first triage with APKiD and aapt metadata extraction.
Cross-References¶
- Supply Chain Attacks for compromise of legitimate distribution (SDK trojanization, build pipeline attacks).
- Play Frosting for the integrity signal that distinguishes Play-originated APKs.
- Threat Actors for who runs each distribution channel.
- Individual malware family pages list the specific channels each family uses.