It’s named Autolycos — from the homonymous Greek mythological figure, known for his mastery in thievery and deceit. And that’s exactly what the malware does. Since June 2021, Ingrao has identified eight infected apps on Play Store — downloaded over three million times.
How does Autolycos work?
According to Evina’s report, the main goals of Autolycos is to subscribe users to premium Direct Carrier Billing (DCB) services, without their knowledge or consent. 8 applications since June 2021, 2 apps always in Play Store, +3M installs 💀💀 No webview like #Joker but only http requests Let’s call it #Autolycos 👾#Android #Malware #Evina pic.twitter.com/SgTfrAOn6H — Maxime Ingrao (@IngraoMaxime) July 13, 2022 Unlike the Joker malware that launches an invisible browser and uses Webview, Autolycus launches fraud attempts by executing http requests without using a browser. For some steps, it can execute the urls on a remote browser and embed the results in the http requests. Here’s how Autolycos is able to access a verification PIN code by reading a phone’s notifications: The malware’s mode operation makes it hard for Google to differentiate infected apps from legitimate ones. That’s why it’s been undetected for so long. To defraud as many users as possible, the cybercriminals behind the Autolycos promote the apps on Facebook pages and run Facebook and Instagram apps. Ingrao identified 74 ad campaigns for one of the infected apps: the Razer Keyboard & Theme app. Traces have also been found in Asia and various European countries, including Spain, Austria, Poland, and Germany — indicating an alarming expansion. For example, there were 74 ad campaigns for Razer Keyboard & Theme malware pic.twitter.com/lLl9faZjQI — Maxime Ingrao (@IngraoMaxime) July 13, 2022
Which are the infected apps?
Evina and Ingao have shared a list with the eight apps were the malware was found: Interestingly, Ingao told BleepingComputer that he notified Google already in June 2021. Although the company acknowledged receiving the report, it took a ridiculously long six months to remove the first set of six apps, which led the researcher to go public on Twitter. On July 13, Google removed the last two: Funny Camera and Razer Keyboard & Theme. If you want to check what the apps looked like, you can find them in Evira’s report. I discovered, however, an app that looks suspiciously similar to the removed Vlog Star Video Editor. It shares the exact same picture and description, only now it’s called Vlog Star Video Maker. Take a look:
This means that even if the identifiedapps were removed, we should be vigilant as the fraudsters behind the malware might continue introducing infected apps.
How to protect yourselves
There’s no bulletproof strategy for avoiding app malware, but that there are some simple steps you can take:
