Maxime Ingrao, security researcher at cybersecurity company Evinahas discovered a new malware family that can infect Android apps on Google Play.
It’s called Autolycos – from the eponymous Greek mythological figure, known for his mastery of theft and deception. And that’s exactly what the malware does.
Since June 2021, Ingrao has identified eight infected apps in the Play Store, which have been downloaded more than three million times.
New family of malware found that subscribes to premium services 👀
8 applications since June 2021, 2 apps always in Play Store, +3 million installs 💀💀
No web view like #joker but only http requests
Let’s call it #Autolycos #Android #Malware #Evina pic.twitter.com/SgTfrAOn6H
— Maxime Ingrao (@IngraoMaxime) July 13, 2022
How does Autolycos work?
Greetings, technical geek!
Do you love gadgets? And apps? And other cool tech stuff? Then this weekly newsletter is for you.
According to Evina’s reportAutolycos’ main purpose is to subscribe users to premium Direct Carrier Billing (DCB) services, without their knowledge or consent.
unlike the Joker malware launching an invisible browser and using Webview, Autolycus launches fraud attempts by making http requests without using a browser.
For some steps, it can run the urls in an external browser and embed the results in the http requests.
Here’s how Autolycos can access a verification PIN by reading a phone’s notifications:
The malware’s mode of action makes it difficult for Google to distinguish infected apps from legitimate ones. That is why it has gone unnoticed for so long.
In order to defraud as many users as possible, the cyber criminals behind the Autolycos promote the apps on Facebook pages and run Facebook and Instagram apps.
Ingrao identified 74 ad campaigns for one of the infected apps: the Razer Keyboard & Theme app.
To promote the applications, fraudsters create various Facebook pages and display ads on Facebook and Instagram.
For example, there were 74 ad campaigns for Razer Keyboard & Theme malware pic.twitter.com/lLl9faZjQI
— Maxime Ingrao (@IngraoMaxime) July 13, 2022
Traces have also been found in Asia and several European countries, including Spain, Austria, Poland and Germany, indicating an alarming expansion.
Which are the infected apps?
Evina and Ingao shared a list of the eight apps where the malware was found:
- Razer Keyboard & Theme — 10,000+ downloads
- Vlog Star Video Editor — 1,000,000+ Downloads
- Funny Camera — 500,000+ Downloads
- Coco Camera — 1,000+ downloads
- Creative 3D Launcher – 1,000,000+ downloads
- GIF Keyboard — 100,000+ Downloads
- Freeglow Camera – 5000+ Downdoads
- Wow Camera — 100.00+ Downloads
Interesting, Ingao told BleepingComputer that he had already notified Google in June 2021. While the company acknowledged receiving the report, it took a ridiculously long six months to remove the first set of six apps, leading the researcher to go public on Twitter.
On July 13, Google removed the last two: Funny Camera and Razer Keyboard & Theme. If you want to check what the apps looked like, you can find them in Evira’s report.
However, I discovered an app that looks suspiciously like the deleted Vlog Star Video Editor.
It shares the exact same photo and description, only it’s called now Vlog Star video maker.
Look:
This means that even if the identified apps are removed, we should be vigilant as the fraudsters behind the malware may continue to introduce infected apps.
How to protect yourself?
There is no bulletproof strategy for avoiding app malware, but there are some simple steps you can take:
- Do not allow apps to read your SMS content after installation. Also, check third-party data sharing permissions.
- Read the reviews!
- To keep Play protect active.
- Don’t just download any app.
- Remove apps you no longer use.
Contents
