8 Android apps, some downloaded more than 1 million times, harbored malware that could subscribe users to services it hadn’t requested.
Autolycos is a new type of malware plaguing the Android ecosystem. Dangerous for your wallet, it has been spotted in at least 8 popular apps in the Google Play Store.
Facebook advertising and ratings given by robots
Maxime Ingrao, the cybersecurity researcher who identified the malware and its hosting sources, explains that it is malware that aims to discreetly subscribe victims to paid services. Generally, infected apps ask for permission to read smartphone text messages.
To remain stealthy and avoid being detected, Autolycos executes the URLs on a remote browser, before including the result in HTTP requests, rather than going through Webview.
The hackers were promoting the apps hosting the malware through advertising campaigns on Facebook. At least 74 promotional publications put forward by the social network have been identified. Bots then ensured that the app was well rated on the Play Store. This strategy worked well, since the 8 applications concerned were downloaded nearly 3 million times in total.
A late withdrawal from the Play Store
If you have downloaded and installed one of these apps on your mobile, remove it immediately. Here is the list of infected applications, two of which have exceeded one million installations:
- Vlog Star Video Editor: 1 million downloads
- Creative 3D Launcher: 1 million downloads
- Funny Camera: 500,000 downloads
- Wow Beauty Camera: 100,000 downloads
- GIF Emoji Keyboard: 100,000 downloads
- Razer Keyboard & Theme: 50,000 downloads
- Freeglow Camera 1.0.0: 5,000 downloads
- Coco Camera v1.1: 1,000 downloads
Working for Evina, a company specializing in cybersecurity for mobile payment and advertising, Maxime Ingrao explains that he notified Google of the existence of this malware in June 2021. But the Mountain View firm took its time and only deleted only 6 of 8 applications six months later.
Worse, two of them remained available on the Play Store until very recently, when the researcher finally decided to make his findings public, thereby forcing Google’s hand to act.
Source : Bleeping Computer
7