android malware

A security researcher discovered a new family of Android malware on the Google Play Store that secretly signed up subscribers to premium services, according to a report from Bleeping Computer.

The new Android malware, dubbed Autolycos, was discovered by Maxime Ingrao, a security researcher at cybersecurity company Evina. The malware, which was first identified by Ingrao in June 2021, has infected eight apps on the Play Store that have been downloaded over three million times.

All these malicious apps lured users into downloading them by offering additional functionality for their camera or keyboard.

Ingrao pointed out that these malicious apps asked users for authorization to read SMS text on the smartphone after installation. Once the users gave permission, they stole data.

Sometimes they even subscribed for premium packages of the infected apps without the owner’s knowledge or consent. They would know only when they received a bill and notice informing them that the amount has been debited from their credit or debit cards.

While the researcher reported about the Autolycos malware to Google way back in June 2021, it took the search giant around half a year to remove six of the infected apps from the Play Store. Further, the two remaining infected apps were taken down only after Bloomberg published their article on Autolycos malware.

Given below is a complete list of apps infected with the Autolycos malware and its detail: 

  1. Vlog Star Video Editor:- 1 million downloads
  2. Creative 3D Launcher:- 1 million downloads
  3. Wow Beauty Camera:- 100,000 downloads
  4. Gif Emoji Keyboard:- 100,000 downloads
  5. Freeglow Camera 1.0.0:- 5,000 downloads
  6. Coco camera V1.1:- 1,000 downloads
  7. Funny Camera by KellyTech:- Over 50,000 downloads
  8. Razer Keyboard & Theme by rxcheldiolola:- Over 50,000 downloads

How did the Autolycos malware work?

“Autolycos is much more discreet than the now well-known Joker malware. Autolycos does not launch an invisible browser like Joker does. The malware launches fraud attempts by executing http requests without using a browser,” Ingrao wrote in a report explaining how the malware works.

“For some steps, it can execute urls on a remote browser and embed these results in the http requests. This operation is intended to make it harder for Google to differentiate Autolycos infected apps from legitimate ones. This is exactly why Autolycos remained unidentified for so long and reached over 3 million downloads.”

The cybercriminals promoted the apps on several Facebook pages and ran ads on Facebook and Instagram to reach a large number of new users.

The apps that were promoted through the advertising campaigns were made more visible to users, which led to a large number of users downloading the apps in a short period of time that ended up ranking high in the Play Store.

For example, there were 74 different ad campaigns on Facebook to promote the Razer Keyboard & Theme app containing Autolycos, according to Ingrao. Some also used bots to generate positive reviews on the Play Store. This app has been ranked 5th in the top new apps of the Play Store in Nigeria and ranked 2nd in the personalization app category.

In order to stay safe, check if your Android smartphone has any of the above-mentioned infected apps, if yes, delete it immediately. Monitor your background internet data, battery consumed by apps, keep Play Protect active, and download as few apps as possible on your smartphones.