There are lots of web pages too, but an exploit that works when you visit a web page is still a pretty big deal.

"MoneyMakingApp5000 - make money from home"

Post some screenshots of the app with screenshots of some random Paypal transfers and I don't think that you will have a problem getting people to find/download your app.

Downloading and running it once would set up the exploit but not complete it, IIRC. You need to go back to the target app and re-enter credentials then run the exploit app a second time. So a broken app that a user would run once and then delete is no good.

A standard Trojan game/utility would work fine even if only a small number of people run it.

Ah yes, security by obscurity, everyone's favourite.

Security through obscurity strikes again!