At least eight apps that were on the Play Store before contained a new type of Android malware.
Malware-infected apps seem to be able to get into the Play Store no matter how hard Google tries to stop them. We’ve talked about a lot of cases in the past, like the recent “toll fraud” malware that was made to attack older Android phones. Now, the people who made a new type of malware have tricked millions of people into downloading it. All known infected apps have been removed from the Play Store, but you might still have one on your phone right now.
The first person to talk about this new group of malware was researcher Maxime Ingrao. Ingrao called it “Autolycus” and said that at least eight Android apps were hiding the new malware so that people would download them without knowing it. Worst of all? These eight apps have been downloaded more than three million times by Android users, which means Autolycus is on millions of devices.
Even though Autolycus could be in other apps, Ingrao has confirmed that it is only in these eight. They are listed here in order of how many times they were downloaded before being taken off the Play Store:
One million people have used the Vlog Star Video Editor.
1 million people have downloaded Creative 3D Launcher.
Funny Camera: 500,000 downloads
500,000 people have downloaded Razer Keyboard & Theme.
Wow, Beauty Camera has had 100,000 downloads.
Gif Emoji Keyboard: 100,000 downloads
5,000 people have downloaded Freeglow Camera 1.0.0.
Coco Camera v1.1: 1,000 downloads
Ingrao told BleepingComputer that he found these bad apps and told Google about them more than a year ago, in June 2021. Google is said to have confirmed that it got Ingrao’s findings, but it didn’t do anything for six months, and when it did, it only took six of the eight apps from the Play Store. When the article was posted on July 13 by BleepingComputer, two of the apps, Funny Camera and Razer Keyboard & Theme, were still available for download. Shortly after the article came out, Google also took down those apps.
The main goal of Autolycus is to sign up people for paid services without their knowledge. It does this by running URLs on a different, remote browser and sending back the results without a Webview. This process was made so that Autolycus apps could work in the background without users knowing. Also, many of these apps asked for permission to read a user’s SMSs, which let Autolycos read victims’ SMSs without their permission.
This Autolycos attack is interesting because hackers used Facebook pages and ads on Facebook and Instagram to make their apps seem like they were real. Ingrao says in a tweet that there were 74 advertising campaigns for the Razer Keyboard & Theme app, which got 500,000 downloads in the end.
