Maxime Ingrao, a security researcher at cybersecurity firm Evina, has discovered a new group of malware that can infect Android apps on Google Play.
His name is Autolycus - from the homonym in Greek mythology, known for his talent for theft and deception. And that's exactly what malware does.
As of June 2021, Ingrao has identified eight infected apps on the Play Store - downloaded more than three million times.
How does Autolycos work?
As reported by Evina, Autolycos' primary goal is to sign up users to a premium direct-payment mobile carrier (DCB) service without their knowledge or consent.
Unlike the Joker malware that launches a hidden browser and uses Webview, Autolycus launches fraud attempts by making http requests without using the browser.
For some steps, it can run urls on a remote browser and embed the results in http requests.
Here's how Autolycos can access the verification PIN by reading notifications from the phone:
The way malware works will make it difficult for Google to distinguish infected apps from legitimate ones. That's why it goes undetected for a long time.
To trick as many users as possible, the cybercriminals behind Autolycos promote the app on Facebook pages and run the Facebook and Instagram apps.
Related Stories
- Neo7 SE runs on Dimensity 8200 with 3.1 GHz
- Cost-cutting measure: Elon Musk plans to fire half of Twitter employees
- How to turn on the portable hotspot feature in MIUI Devices
- How to enable the Memory Extension function in MIUI
- Scan a QR code in Android Smartphone
- SIM Registration Act - How to Register Your SIM
Ingrao identified 74 advertising campaigns for one of the infected apps: the Razer Themes and Keyboard app.
Traces have also been found in Asia and various European countries,
including Spain, Austria, Poland and Germany, showing alarming expansion.
Which are the infected apps?
Evina and Ingao have shared a list with the eight apps where the malware was found:
- Razer Keyboard & Theme — 10,000+ downloads
- Vlog Star Video Editor — 1,000,000+ downloads
- Funny Camera — 500,000+ dowloads
- Coco Camera — 1,000+ downloads
- Creative 3D Launcher — 1,000,000+ downloads
- GIF Keyboard — 100,000+ downloads
- Freeglow Camera — 5,000+ downdoads
- Wow Camera — 100,00+ downloads
Interestingly, Ingao told BleepingComputer that he notified Google in June 2021. Although the company admitted to receiving the report, it took an oddly long six months to remove the first set of six apps, causing the researcher to go public on Twitter.
On July 13, Google removed the last two: Fun Camera and Razer Keyboard and Themes. If you want to check out what the apps look like, you can find them in the Evira report.
However, I have discovered an app that looks suspiciously like the Vlog Star video editor. It shares the same picture and description, but now it's called Vlog Star Video Maker.
Have looked:
This means that even if the identified applications have been removed, we must be vigilant because the fraudsters causing the malware may continue to introduce infected applications.
How to protect yourselves
There’s no bulletproof strategy for avoiding app malware, but that there are some simple steps you can take:
- Don’t give apps permission to read your SMS content upon installation. Check also third-party data sharing permissions.
- Read the reviews!
- Keep Play Protect active.
- Don’t download any app lightly.
- Delete apps you no longer use.