New Android malware installed over 3 million times from Google Play

Android malware

A security researcher discovered a new family of Android malware in the Google Play Store that secretly signed up subscribers to premium services, according to a report by Bleeping Computer.

The new Android malware, called Autolycos, was discovered by Maxime Ingrao, a security researcher at cybersecurity firm Evina. First identified by Ingrao in June 2021, the malware has infected eight apps in the Play Store that have been downloaded more than three million times.

All these malicious apps tricked users into downloading them by providing additional functionality for their camera or keyboard.

Ingrao pointed out that these malicious apps asked users for permission to read SMS text on the smartphone after installation. After the users gave their consent, they stole data.

Sometimes they even subscribed to premium packages of the infected apps without the owner’s knowledge or consent. They wouldn’t know until they received a bill and a message saying that their credit or debit card has been charged.

While the researcher reported on the Autolycos malware to Google as early as June 2021, it took the search giant about six months to remove six of the infected apps from the Play Store. Furthermore, the two remaining infected apps were not removed until Bloomberg published their article on Autolycos malware.

Below is a complete list of: apps infected with the Autolycos malware and its details:

  1. Vlog Star Video Editor: – 1 Million Downloads
  2. Creative 3D Launcher: – 1 Million Downloads
  3. Wow Beauty Camera: – 100,000 downloads
  4. Gif Emoji Keyboard: – 100,000 Downloads
  5. Freeglow Camera 1.0.0:- 5,000 downloads
  6. Coco Camera V1.1: – 1,000 downloads
  7. Funny Camera by KellyTech :- Over 50,000 downloads
  8. Razer Keyboard & Theme by rxcheldiolola :- Over 50,000 downloads

How did the Autolycos malware work?

“Autolycos is much more discreet than the now well-known Joker malware. Autolycos does not launch an invisible browser like Joker does. The malware initiates fraud attempts by making http requests without using a browser,” Ingrao wrote in a report explaining how the malware works.

“For some steps, it can run URLs in a third-party browser and embed these results in the http requests. This operation is intended to make it harder for Google to distinguish Autolycos-infected apps from legitimate ones. This is exactly why Autolycos takes so long remained unidentified and reached over 3 million downloads.”

The cyber criminals promoted the apps on various Facebook pages and ran ads on Facebook and Instagram to reach a large number of new users.

The apps promoted through the ad campaigns were made more visible to users, which resulted in a large number of users downloading the apps in a short time and landing high on the Play Store.

For example, according to Ingrao, there were 74 different ad campaigns on Facebook to promote the Razer Keyboard & Theme app with Autolycos. Some also used bots to generate positive reviews on the Play Store. This app ranks 5th in the top new apps of the Play Store in Nigeria and 2nd in the personalization apps category.

To stay safe, you should check if your Android smartphone has any of the above-mentioned infected apps, if so, uninstall it immediately. Keep track of your background internet data, the battery used by apps, keep Play Protect active and download as few apps as possible on your smartphones.

Leave a Comment