Try as Google might, it seems there’s no stopping malware-infected apps from sneaking their way onto the Play Store. We’ve covered plenty of cases in the past, including the recent “toll fraud” malware targeting older Androids. Now, the scammers behind a new strain of malware have tricked users into downloading it millions of times. Luckily, all apps known to be infected have been scrubbed from the Play Store — but you could still have one of them on your smartphone right now.
Researcher Maxime Ingrao was the first to highlight this new group of malware. Ingrao dubbed it “Autolycos,” and claimed at least eight Android apps packaged the new malware for unsuspecting victims to download. The worst part? Android users have downloaded those eight apps over three million times collectively, meaning Autolycos found its way onto millions of devices.
While Autolycos may be present in other apps, these are the eight titles Ingrao confirmed to be hiding the malware. They’re listed here in descending order of the number of downloads they reached before being removed from the Play Store:
- Vlog Star Video Editor: 1 million downloads
- Creative 3D Launcher: 1 million downloads
- Funny Camera: 500,000 downloads
- Razer Keyboard & Theme: 500,000 downloads
- Wow Beauty Camera: 100,000 downloads
- Gif Emoji Keyboard: 100,000 downloads
- Freeglow Camera 1.0.0: 5,000 downloads
- Coco Camera v1.1: 1,000 downloads
Ingrao told BleepingComputer he discovered and reported these malicious apps to Google over a year ago, back in June 2021. While Google reportedly confirmed receiving Ingrao’s findings, the company didn’t take action for six months, and, even then, only removed six of the eight identified apps from the Play Store. When BleepingComputer’s article went up Wednesday, July 13, two of the apps, Funny Camera and Razer Keyboard & Theme, were still available for download. Shortly after publication, Google removed those apps as well.
Autolycos’ main objective is to sign victim’s up for premium services without their knowledge. It achieves this by executing URLs on a separate, remote browser, returning the results without a Webview. This process was designed to allow Autolycos apps to work stealthily without alerting users. In addition, many of these apps asked for permission to read a users’ SMSs, allowing Autolycos to freely scrape victims’ text messages.
What’s fascinating about this particular Autolycos attack is that hackers sold the legitimacy of their apps with Facebook pages as well as Facebook and Instagram ads. As Ingrao highlights in a tweet, there were 74 ad campaigns for the Razer Keyboard & Theme app, which managed half a million downloads when all was said and done.
To promote the applications, fraudsters create several Facebook pages and run ads on Facebook and Instagram.— Maxime Ingrao (@IngraoMaxime) July 13, 2022
For example, there were 74 ad campaigns for Razer Keyboard & Theme malware pic.twitter.com/lLl9faZjQI
How to protect yourself from Autolycos and other malware apps
First and foremost, take a good look at the list of apps above. If you installed any on your Android device, delete them now. While none are currently available for download, their removal from the Play Store doesn’t affect apps already installed on devices.
Going forward, rigorously investigate apps on the Play Store before downloading them to your phone. Take a look at the name of the app, the preview images, and the description: Does everything make sense for the type of app its purporting to be? Descriptions should be clear and well-written, and images should be high-quality and show off basic features advertised.
Scan reviews: If you notice a lot of bad reviews, skip the app. However, notice how positive reviews are written, as well. If the five star reviews are all poorly worded, or seem to miss the point of the app in general, that’s a sign they are bot-generated reviews meant to inflate the rating of a malicious or junk app.
Most importantly, check the permissions the app will be requesting upon installation. A video editor, for example, has no business asking for permission to read your SMSs, while a theme app should not have access to your location or health data. If you notice too many permissions on the list, especially when those permissions don’t match the app’s purpose, avoid it.