Phishing Kits for Android for Sale for 1,800 Dollars

Blog Details

DISCLAIMER : The purpose of this video is to promote cyber security awareness. All scenarios shown in the videos are for demonstration purposes only.

The internet is a dark and dangerous place, and it just got a little bit darker. InTheBox, a notorious threat actor, is making waves in the Russian cybercrime world. The phishing of Android devices is on the rise. The hackers are offering a vast inventory of web injectors that can be used to steal credentials and sensitive data from unaware victims. This threat is serious. We should all take a closer look at what this notorious hacker has to offer.

Cyble researchers found InTheBox offered 1,894 web injects (overlays of phishing windows) compatible with various Android banking malware. These overlays mimic popular banking, cryptocurrency exchange, and e-commerce apps. These overlays are used by dozens of countries on almost all continents. Cybercriminals are increasingly using these tactics, so it is crucial that you are aware of them.


Mobile banking trojans have seen a surge in recent times, and InTheBox has enabled cybercriminals to hijack sensitive information with ease. The malware, once it infiltrates a device, inspects which applications are there and gathers the relevant web injects connected to them. When the user launches the application of interest, the malware quickly shows an overlay that is similar to the legitimate product in structure. InTheBox offers up-to-date injects for numerous apps, giving criminals more time to focus on other sections of their mission such as developing their malware or expanding their assault to further areas.

Web inject packages used in Android phishing

InTheBox is offering three different web inject packages for Android phising protection, targeting various malwares such as Alien, Ermac, Octopus, MetaDroid, Cerberus and Hydra. Prices for the packages vary from $6,512 to $4,680. If you’re not after a full set of web injects they can be purchased individually at $30 each. Additionally, users can even request an individualised custom inject tailored to the type of malware used. InTheBox provide comprehensive coverage against all android banking trojans.

InTheBox's web injects consist of app icon PNGs and an HTML file, containing JavaScript code. This aggressive form of Android banking Trojan is designed to mine victims' credentials along with other sensitive data. In many cases, it also features a second overlay prompting for credit card numbers, expiration dates and CVV numbers which are automatically sent to the malicious operator's server. To further aid fraudsters, this malware uses the Luhn algorithm to validate entries - resulting in only valid cards numbers being accepted.

InTheBox has been selling web injects for Android malware since February 2020 and is continuously adding new pages targeting more banks and financial apps. Cyble was able to confirm that InTheBox's web injects have been used by the 'Coper' and the 'Alien' Android trojans in 2021 and September 2022, respectively. This shows that InTheBox's web injects are not only effective, but also in demand. It was targeted at Spanish banks in January 2023.


If you have any questions, please don't hesitate to Contact Us

Back to Blog
We use cookies on our website. By continuing to browse our website, you agree to our use of cookies. For more information on how we use cookies go to Cookie Information.