New Android malware on Google Play installed 3 million times

A new Android malware family on the Google Play Store that secretly subscribes users to premium services was downloaded over 3,000,000 times.

The malware, named 'Autolycos,' was discovered by Evina's security researcher Maxime Ingrao to be in at least eight Android applications, two of which are still available on the Google Play Store at the time of this writing.

The two apps still available are named 'Funny Camera' by KellyTech, which has over 500,000 installations, and 'Razer Keyboard & Theme' by rxcheldiolola, which counts over 50,000 installs on the Play Store.

The remaining six applications have been removed from the Google Play Store, but those who still have them installed risk being charged with costly subscriptions by the malware's activities.

• Vlog Star Video Editor (com.vlog.star.video.editor) – 1 million downloads
• Creative 3D Launcher (app.launcher.creative3d) – 1 million downloads
• Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
• Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
• Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
• Coco Camera v1.1 (com.toomore.cool.camera) –1,000 downloads

During a discussion with Ingrao, the researcher told BleepingComputer that he discovered the apps in June 2021 and reported his findings to Google at the time.

Although Google acknowledged receiving the report, it took the company six months to remove the set of six, while two malicious apps remain on the Play Store to this day.

After so much time had passed since the initial reporting, the researcher disclosed his findings publicly.

Autolycos functions and promotion

Autolycos is a malware that performs stealthy malicious behavior like executing URLs on a remote browser and then including the result in HTTP requests instead of using Webview.

This behavior is meant to make its actions less noticeable and thus not be detected by users of compromised devices.

In many cases, the malicious applications requested permission to read SMS content upon installation on the device, allowing the apps to access a victim's SMS text messages.

To promote the apps to new users, the Autolycos operators created numerous advertising campaigns on social media. For the Razer Keyboard & Theme alone, Ingrao counted 74 ad campaigns on Facebook.

Also, while some malicious applications suffered from inevitable negative reviews on the Play Store, those with fewer downloads maintain a good user rating due to bot reviews.

To stay safe against these threats, Android users should monitor background internet data and battery consumption, keep Play Protect active, and try to minimize the number of apps they install on their smartphones.

Update 7/13/2022: Google has removed the two remaining adware applications from the Play Store shortly after the publication of this post.