Mass Malware Generation¶
Automated production of Android malware variants at scale through MaaS builder panels, app repackaging pipelines, crypter-as-a-service platforms, and coordinated multi-account Play Store submission. The result is hundreds or thousands of functionally identical malware samples that evade signature-based detection through automated obfuscation, distributed developer accounts, and sheer volume. Kaspersky reported a 196% surge in banking trojan attacks in 2024 (1.24 million attacks, up from 420,000 in 2023).
See also: Play Store Evasion, Dynamic Code Loading, C2 Communication
Techniques¶
MaaS Builder Panels¶
Malware-as-a-Service operators provide web-based builder panels that generate unique APKs per customer with customized targeting, branding, and C2 configuration. Each customer gets a variant that is structurally different enough to evade detection but functionally identical.
| Platform | Price | Capabilities | Source |
|---|---|---|---|
| PhantomOS | $799/week or $2,499/month + profit sharing | Silent app installs, 2FA interception, AV cloaking, phishing overlays. Operator handles all backend infrastructure (server + Telegram control bot). Client specifies target institution. | iVerify |
| Nebula | From $300/month | Background operation, SMS/call/location exfiltration, automated updates | iVerify |
Builder output includes: APK with rotated cryptographic packers, web panel for managing infected devices, SMS sending, data archive download, multi-device management, analytics dashboard. Many MaaS operators include or integrate with crypting services that rotate packers regularly to update signatures.
The SpyLoan ecosystem demonstrates framework-level mass generation. ESET documented 18 SpyLoan apps sharing a common framework: every instance behaves identically due to identical underlying code, with different branding and target regions. From Q2 to Q3 2024, malicious SpyLoan apps and unique infected devices increased by over 75%. McAfee tracked the global scope across Mexico, Indonesia, Thailand, Vietnam, India, Pakistan, Colombia, Peru, Philippines, Egypt, Kenya, Nigeria, and Singapore.
APK Binding Services¶
Services that take a legitimate APK and graft malicious code onto it, producing a "bound" app that retains original functionality while carrying a malware payload.
Zombinder (ThreatFabric, December 2022): Dropper-as-a-service announced March 2022 on darknet. Takes an original APK and "glues" obfuscated malicious payload to it with minor modifications. The bound app functions normally until it shows a fake "update" prompt; accepting installs Ermac or other payloads. The service claims undetectability at runtime and bypass of Google Play Protect. BleepingComputer and SecurityWeek covered the discovery.
App Piggybacking (Repackaging at Scale)¶
Automated pipelines that take legitimate apps, inject malicious payloads (the "rider"), and republish them. About 90% of reported Android malware uses some form of repackaging. A systematic study showed piggybacking is largely automated, with malware writers systematically ensuring necessary permissions are added.
The NDSS 2025 "Automated Mass Malware Factory" paper combined adversarial examples with piggybacking. Average time to generate an adversarial piggybacked app: 23.4 seconds (12.6s unpacking + 0.08s hooking + 10.6s repackaging). Achieved 88.3% evasion rate against ML-based detectors.
Dropper-as-a-Service¶
Specialized services that handle the delivery stage, bypassing Android security restrictions so the malware operator can focus on the payload.
SecuriDropper (ThreatFabric, November 2023): DaaS that bypasses Android 13 Restricted Settings by using the same session-based PackageInstaller API as legitimate marketplaces. Android cannot distinguish dropper installs from marketplace installs, so the payload freely requests Accessibility Service access. Observed delivering SpyNote and ERMAC.
Coordinated Multi-Account Store Submission¶
Large-scale campaigns using distributed developer accounts to submit hundreds of variants simultaneously, overwhelming Play Store review capacity.
Vapor Campaign (IAS Threat Lab / Bitdefender, 2025): 331 malicious apps with over 60 million combined downloads. Multiple developer accounts, each hosting only a handful of apps so takedown of one account has minimal impact. Each publisher used a different ads SDK to obscure the campaign. Evasion: disabled launcher activity after install, renamed to "Google Voice" in Settings, used Leanback Launcher (Android TV launcher) for stealth, versioning attack (clean submission, malicious update via C2). Generated 200 million fraudulent ad bid requests daily.
Konfety Evil Twin Operation (HUMAN Security, 2024): Over 250 decoy apps on Google Play acting as "evil twins" for ad-fraud malware. At peak, the operation generated 10 billion programmatic requests per day. Decoy apps on the store appeared clean; the actual malicious variants were distributed via malvertising, compromised WordPress sites, Docker Hub, Facebook, Google Sites, and OpenSea. Evil twin network traffic functionally identical to decoy twin traffic. Latest variants use malformed APK files that crash analysis tools while installing normally on devices.
Crypter-as-a-Service¶
Third-party services that obfuscate malware APKs to evade AV detection. Operators submit their malware and receive a "crypted" version with modified signatures, encrypted strings, and junk code injection.
DroidMorph (academic tool) demonstrated the fragility of detection: a morphing tool generating 1,771 malware variants achieved a 51.4% detection rate, meaning half of the generated variants evaded detection entirely. The tool applied automated transformations: class renaming, method shuffling, string encryption, resource randomization.
Commercial crypter services rotate obfuscation techniques regularly. Many MaaS operators bundle crypting with their builder panels, updating malware signatures to remain stealthy against AV engines and Play Protect. Sekoia documented two types: scantime crypters (obfuscate before execution) and runtime crypters (decrypt portions into memory during execution). The first academic study of the underground crypter marketplace (arXiv:2405.11876) found monthly subscriptions ranging from $50 to $300+ on HackForums.
Automated Evasion Tools¶
Open-source and academic tools that automate APK transformation to evade detection:
| Tool | Year | Technique | Impact |
|---|---|---|---|
| AVPASS | 2017 (Black Hat USA) | Leaks AV detection models, then uses perturbation to bypass. Three components: query function, variant generator, data analyzer. | Generated apps detected only 6% of the time. 56 of 58 AVs bypassed almost always. |
| Obfuscapk | 2020 | Open-source black-box obfuscation. Decompile via apktool, apply obfuscation on smali/resources/manifest, recompile. | VirusTotal detection dropped from 91% to 71% with medium obfuscation |
| AAMO | 2017 | 17 obfuscation techniques: string encryption, renaming, reordering, reflection, nop insertion, arithmetic branching | Automated pipeline: decompile -> obfuscate -> recompile -> re-sign |
Source Code Leaks as Force Multipliers¶
When a banking trojan's source code leaks, it instantly enables mass variant generation by any operator. The leaked code typically includes builder tools, C2 panels, and obfuscation modules.
ERMAC 3.0 (BleepingComputer): Leaked archive contained PHP/Laravel C2 backend, React operator panel, Go-powered exfiltration server, Docker deployment files, Android APK builder, and obfuscation module. Targets 700+ apps. Lineage: Cerberus (leaked Sept 2020) -> Alien -> ERMAC -> Hook -> ERMAC 3.0.
See Source Code Leaks in the malware section for the full timeline of leaks and their downstream impact.
Families Using Mass Generation¶
| Family | Scale | Technique | Source |
|---|---|---|---|
| Joker | 1,700+ variants | Automated code mutation, Play Store submission across hundreds of developer accounts | CERT Polska 2024 analysis |
| SpyLoan | 18+ apps, 12M+ downloads | Shared framework, templated app generation, mass geographic targeting | ESET, McAfee |
| Necro | 11M+ devices, multi-app | Coral SDK embedded across multiple legitimate apps | Kaspersky |
| Harly | Millions of downloads across dozens of apps | Templated utility apps (games, wallpapers, cameras) | Google Play campaigns |
| SpyNote | Explosion post-leak | Builder leaked publicly; accessible to low-skill operators | Zimperium |
| Rafel RAT | 120+ campaigns, 10+ threat actors | Open-source release enabled mass adoption | Check Point |
| Vapor campaign | 331 apps, 60M downloads | Distributed developer accounts, templated utility apps | Bitdefender |
| Konfety | 250+ decoy apps | Evil twin architecture: clean store apps + sideloaded malicious variants | HUMAN Security |
| Mamont | Custom variants per operator | MaaS model generates unique variant per customer for a fee | Kaspersky |
Scale¶
Google blocked 2.36 million policy-violating apps and banned 158,000 developer accounts in 2024. Play Protect scans 200 billion apps daily and identified 13 million new malicious apps from outside Google Play. Despite this, the volume of malicious submissions continues to increase year over year (2022: 1.5M blocked, 173K banned; 2023: 2.28M blocked, 333K banned; 2024: 2.36M blocked, 158K banned).
The Economics¶
Mass generation is economically rational because the marginal cost of producing an additional variant is near zero while the marginal cost of detecting each variant is significant.
| Factor | Attacker Cost | Defender Cost |
|---|---|---|
| Generate new variant | Seconds (automated builder) | Hours (manual analysis) or expensive ML retraining |
| New developer account | $25 (Google Play fee) | N/A |
| Crypter service | $50-100/month | Signature updates across entire AV fleet |
| MaaS subscription | $300-2,500/month | Full-time analyst + infrastructure |
The asymmetry is structural. Kaspersky's 2024 data shows the scale of the problem: despite Google removing 2.3 million apps from the Play Store in 2024, banking trojan attacks nearly tripled.