Heads up, Android users! Researchers have found a new Android malware in the wild that even appeared on the Google Play Store. Identified as “Autolycos”, this Android malware impersonated multiple apps to surface on the Play Store and garner huge downloads.
About Autolycos Android Malware
Through a recent Twitter thread, security researcher Maxime Ingrao from Evina Security shared details about a new malware campaign targeting Android users.
The researcher named the malware “Autolycos,” which ran dedicated infectious campaigns in the wild impersonating different apps. While that’s obvious for a mobile malware, what made Autolycos dangerous is its appearance on the official Google Play Store.
Despite Google’s robust security checks, Autolycos malware succeeded in intruding into the Play Store to lure users. Such intrusions suggest that android users can blindly trust the apps on the Play Store either unless they know the app developer.
Ingrao explained that the malware existed on the Play Store via at least 8 different apps since June 2021. All of these apps attracted huge number of downloads, two of which even boasted over 3 million installs.
This malware sneakily subscribes the victims to premium services (hence behaving as fleeceware). In this way, it draws money from the victims while staying under the radar, making it difficult for the victim to detect and stop the infection.
Regarding how the malware works, the researcher stated in his tweet,
It retrieves a JSON on the C2 address: 68.183.219.190/pER/y
It then executes the urls, for some steps it executes the urls on a remote browser and returns the result to include it in the requests
This allows it not to have a Webview and to be more discrete
To add legitimacy to the malicious apps distributing the malware, the threat actors behind Autolycos malware have also set up dedicated social media pages for promotions.
To promote the applications, fraudsters create several Facebook pages and run ads on Facebook and Instagram.
For example, there were 74 ad campaigns for Razer Keyboard & Theme malware pic.twitter.com/lLl9faZjQI
— Maxime Ingrao (@IngraoMaxime) July 13, 2022
More technical details about the malware and its campaigns in the wild are available in Evina’s detailed report.
Some Malicious Apps Still Exist
After detecting the malware, the researcher reported the malicious apps to Google for subsequent action. The researcher has shared the list of those apps in this tweet.
com.razer.keyboards (10k+) https://t.co/dLmVIkvKEh.editor (1M+) ❌
com.okcamera.funny (500K+) https://t.co/8fyEMql0bj (1k+) ❌
app.launcher.creative3d (1M+) ❌
com.gif.emoji.keyboard (100K+) ❌https://t.co/W5wjm83pDV (5K+) ❌https://t.co/cju9S26Nny (100K+) ❌— Maxime Ingrao (@IngraoMaxime) July 13, 2022
Ironically, it took the firm several months to remove those apps. Still, one of them, “Funny Camera” (com.okcamera.funny), continues to exist on the Play Store.
That means users must remain very careful when encountering this app. Also, if they have downloaded any malicious apps, users should rush to delete the app from their devices. Whereas, as a precaution, users must always avoid downloading apps from unknown, untrusted, or new developers, even if they boast huge downloads or reviews.
