Autolycos installed 3 million times from Google Play Store

Over 3,000,000 people downloaded a new Android malware family from the Google Play Store that discreetly subscribes users to premium services.

Maxime Ingrao, an Evina security researcher, found the malware, known as “Autolycos,” in at least eight Android applications, of which two are still downloadable from the Google Play Store as of this writing.

The two apps still available are named ‘Funny Camera’ by KellyTech, which has over 500,000 installations, and ‘Razer Keyboard & Theme’ by rxcheldiolola, which counts over 50,000 installs on the Play Store.

The remaining six applications have been removed from the Google Play Store, but those who still have them installed risk being charged with costly subscriptions by the malware’s activities.

• Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
• Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
• Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
• Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
• Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
• Coco Camera v1.1 (com.toomore.cool.camera) –1,000 downloads

During a discussion with Ingrao, the researcher told Droid Tools that he discovered the apps in June 2021 and reported his findings to Google at the time.

Although Google acknowledged receiving the report, it took the company six months to remove the set of six, while two malicious apps remain on the Play Store to this day.

After so much time had passed since the initial reporting, the researcher disclosed his findings publicly.

In place of using Webview, Autolycos uses stealthy malicious behavior to execute URLs on remote browsers and then include the results in HTTP requests.

This behavior is intended to hide its actions from users of infected devices so that they won’t be noticed.

When malicious apps were installed on a smartphone, they frequently asked for authorization to view SMS content, which gave them access to a victim’s SMS text messages.

The Autolycos owners launched various social media advertising campaigns to draw in new users to the apps. Ingrao discovered 74 Facebook ad campaigns for the Razer Keyboard & Theme alone.

Additionally, while some fraudulent apps on the Play Store received unavoidably bad reviews, some with less downloads continue to have positive user ratings thanks to fake reviews.

Android users should have Play Protect activated, monitor background internet data and battery usage, and attempt to install the fewest number of apps possible on their handsets in order to protect themselves against these attacks.