Researcher discovered new app malware on Google Play that steals your money

Maxime Ingrao, security researcher at cybersecurity company Evinahas discovered a new malware family that can infect Android apps on Google Play.

It’s called Autolycos – from the eponymous Greek mythological figure, known for his mastery of theft and deception. And that’s exactly what the malware does.

Since June 2021, Ingrao has identified eight infected apps in the Play Store, which have been downloaded more than three million times.

How does Autolycos work?

Greetings, technical geek!

Do you love gadgets? And apps? And other cool tech stuff? Then this weekly newsletter is for you.

According to Evina’s reportAutolycos’ main purpose is to subscribe users to premium Direct Carrier Billing (DCB) services, without their knowledge or consent.

unlike the Joker malware launching an invisible browser and using Webview, Autolycus launches fraud attempts by making http requests without using a browser.

For some steps, it can run the urls in an external browser and embed the results in the http requests.

Here’s how Autolycos can access a verification PIN by reading a phone’s notifications:

Autolycos malware
Credit: Evina

The malware’s mode of action makes it difficult for Google to distinguish infected apps from legitimate ones. That is why it has gone unnoticed for so long.

In order to defraud as many users as possible, the cyber criminals behind the Autolycos promote the apps on Facebook pages and run Facebook and Instagram apps.

Ingrao identified 74 ad campaigns for one of the infected apps: the Razer Keyboard & Theme app.

Traces have also been found in Asia and several European countries, including Spain, Austria, Poland and Germany, indicating an alarming expansion.

Which are the infected apps?

Evina and Ingao shared a list of the eight apps where the malware was found:

  1. Razer Keyboard & Theme — 10,000+ downloads
  2. Vlog Star Video Editor — 1,000,000+ Downloads
  3. Funny Camera — 500,000+ Downloads
  4. Coco Camera — 1,000+ downloads
  5. Creative 3D Launcher – 1,000,000+ downloads
  6. GIF Keyboard — 100,000+ Downloads
  7. Freeglow Camera – 5000+ Downdoads
  8. Wow Camera — 100.00+ Downloads

Interesting, Ingao told BleepingComputer that he had already notified Google in June 2021. While the company acknowledged receiving the report, it took a ridiculously long six months to remove the first set of six apps, leading the researcher to go public on Twitter.

On July 13, Google removed the last two: Funny Camera and Razer Keyboard & Theme. If you want to check what the apps looked like, you can find them in Evira’s report.

However, I discovered an app that looks suspiciously like the deleted Vlog Star Video Editor.

It shares the exact same photo and description, only it’s called now Vlog Star video maker.


autolycos malware app

This means that even if the identified apps are removed, we should be vigilant as the fraudsters behind the malware may continue to introduce infected apps.

How to protect yourself?

There is no bulletproof strategy for avoiding app malware, but there are some simple steps you can take:

  1. Do not allow apps to read your SMS content after installation. Also, check third-party data sharing permissions.
  2. Read the reviews!
  3. To keep Play protect active.
  4. Don’t just download any app.
  5. Remove apps you no longer use.


Shreya has been with for 3 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider, Shreya seeks to understand an audience before creating memorable, persuasive copy.