Over 3,000,000 people downloaded a new Android malware family from the Google Play Store that discreetly subscribes users to premium services.

Maxime Ingrao, an Evina security researcher, found the malware, known as “Autolycos,” in at least eight Android applications, of which two are still downloadable from the Google Play Store as of this writing.

In the Play Store, KellyTech’s “Funny Camera,” which has had over 500,000 instals, and rxcheldiolola’s “Razer Keyboard & Theme,” which has received over 50,000 instals, are the two remaining apps.

The Funny Camera app on the Play Store
The Funny Camera app on the Play Store

The remaining six programmes have been taken down from the Google Play Store, but individuals who continue to use them run the risk of having their subscriptions to expensive services renewed by the malware.

  •     Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
  •     Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
  •     Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
  •     Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
  •     Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
  •     Coco Camera v1.1 (com.toomore.cool.camera) –1,000 downloads

The researcher told BleepingComputer during a conversation with Ingrao that he first noticed the apps in June 2021 and immediately informed Google of his discovery.

Google confirmed receiving the information, but it took them six months to delete the six dangerous apps, and two of them are still available on the Play Store.

The researcher made his findings public after a significant amount of time had passed since the initial reporting.

Autolycos functions and promotion

In place of using Webview, Autolycos uses stealthy malicious behaviour to execute URLs on remote browsers and then include the results in HTTP requests.

This behaviour is intended to hide its actions from users of infected devices so that they won’t be noticed.

When malicious apps were installed on a smartphone, they frequently asked for authorization to view SMS content, which gave them access to a victim’s SMS text messages.

The Autolycos owners launched various social media advertising campaigns to draw in new users to the apps. Ingrao discovered 74 Facebook ad campaigns for the Razer Keyboard & Theme alone.

Some of the recent ad campaigns on Facebook (@IngraoMaxime)

Additionally, while some fraudulent apps on the Play Store received unavoidably bad reviews, some with less downloads continue to have positive user ratings thanks to fake reviews.

Android users should have Play Protect activated, monitor background internet data and battery usage, and attempt to install the fewest number of apps possible on their handsets in order to protect themselves against these attacks.

Update 7/13/2022: Shortly after this piece was published, Google deleted the last two adware programmes from the Play Store.

Reference: https://www.bleepingcomputer.com/news/security/new-android-malware-on-google-play-installed-3-million-times/?&web_view=true