Despite Google’s efforts, malware apps continue to find their way onto the Play Store. We’ve previously covered a number of cases, including the recent “toll fraud” malware targeting older Android devices.
Scammers have now tricked users into downloading a new strain of malware millions of times. Fortunately, all infected apps have been removed from the Play Store—but you could still have one on your smartphone right now.
Maxime Ingrao, a researcher, was the first to identify this new type of malware. Ingrao dubbed it “Autolycos,” and claimed that it was packaged in at least eight Android apps for unsuspecting victims to download. Worst of all?
Autolycos has been downloaded over three million times by Android users, implying that it has made its way onto millions of devices.
While Autolycos could be found in other apps, these are the eight titles that Ingrao has confirmed contain the malware. They are listed here in descending order of number of downloads before being removed from the Play Store:
- Vlog Star Video Editor: 1 million downloads
- Creative 3D Launcher: 1 million downloads
- Funny Camera: 500,000 downloads
- Razer Keyboard & Theme: 500,000 downloads
- Wow Beauty Camera: 100,000 downloads
- Gif Emoji Keyboard: 100,000 downloads
- Freeglow Camera 1.0.0: 5,000 downloads
- Coco Camera v1.1: 1,000 downloads
According to Ingrao, he discovered and reported these malicious apps to Google over a year ago, in June 2021. While Google reportedly acknowledged receiving Ingrao’s findings, the company did not act for six months, and even then, only six of the eight identified apps were removed from the Play Store. Two of the apps, Funny Camera and Razer Keyboard & Theme, were still available for download when BleepingComputer published its article on Wednesday, July 13. Google removed those apps shortly after they were published.
The main goal of Autolycos is to sign victims up for premium services without their knowledge. It accomplishes this by running URLs in a separate, remote browser and returning the results without using a Webview. This procedure was created to allow Autolycos apps to operate invisibly without alerting users. Furthermore, many of these apps requested permission to read a user’s SMS messages, allowing Autolycos to freely scrape victims’ text messages.
What’s interesting about this Autolycos attack is that the hackers sold the legitimacy of their apps through Facebook pages as well as Facebook and Instagram ads. According to Ingrao, there were 74 ad campaigns for the Razer Keyboard & Theme app, which resulted in 500,000 downloads when all was said and done.
How to protect yourself from Autolycos and other malware apps
First and foremost, review the list of apps provided above. If you have any installed on your Android device, remove them immediately. While none are currently available for download, their removal from the Play Store has no impact on apps that are already installed on devices.
In the future, thoroughly research apps on the Play Store before downloading them to your phone. Take a look at the app’s name, preview images, and description: Is everything appropriate for the type of app it claims to be? Descriptions should be clear and well-written, and images should be high-quality and showcase the advertised basic features.
Examine the reviews: If you notice a lot of negative feedback, skip the app. However, take note of how positive reviews are written. If all of the five-star reviews are poorly worded or appear to miss the point of the app in general, it’s a sign that they’re bot-generated reviews designed to inflate the rating of a malicious or junk app.
Most importantly, review the permissions that the app will require upon installation. A video editor, for example, has no business requesting permission to read your SMS messages, and a theme app should not have access to your location or health information. Avoid it if there are too many permissions on the list, especially if those permissions do not match the app’s purpose. /Freedom Tech