Maxime Ingrao, a security researcher at Evina, has discovered a new family of malware that can infect Android apps via Google Play.
Ονομάζεται Autolycos (Αυτόλυκος) — από την eponymous Greek mythological figure, known for her mastery of theft and deception. This is exactly what malware does.
Since June 2021, Ingrao has identified eight infected apps on the Play Store — which have been downloaded more than three million times.
How does Autolycos work?
According to Evina's report, the Autolycos malware's main goals are to enroll users in premium Direct Carrier Billing (DCB) services, without their knowledge or consent.
Here's how Autolycos can access a PIN verification code by reading a phone's notifications:
The way the malware works makes it difficult for Google to distinguish infected apps from normal ones. This is also the reason why it has not been detected for so long.
To scam as many users as possible, the scammers behind Autolycos promote the apps on Facebook and Instagram pages.
Ingrao identified 74 ad campaigns for one of the infected apps: the Razer Keyboard & Theme app.
It retrieves a JSON on the C2 address: 68.183.219.190/pER/y
— Maxime Ingrao (@IngraoMaxime) July 13th, 2022
It then executes the urls, for some steps it executes the urls on a remote browser and returns the result to include it in the requests
This allows it not to have a Webview and to be more discrete pic.twitter.com/v5S6fUjx7M
Traces of the malicious app have been found in Asia and several European countries, including Spain, Austria, Poland and Germany — indicating a very worrying expansion.
What are the infected apps?
Evina and Ingao provided a list of the eight known apps that contain the malware:
Razer Keyboard & Theme — 10.000+ downloads
Vlog Star Video Editor — 1.000.000+ downloads
Funny Camera — 500.000+ dowloads
Coco Camera — 1.000+ downloads
Creative 3D Launcher — 1.000.000+ downloads
GIF Keyboard — 100.000+ downloads
Freeglow Camera — 5.000+ downdoads
Wow Camera — 100+ downloadsInterestingly, Ingao notified Google in June 2021. The company acknowledged the problem, but it took six months to remove the first six apps. This prompted the researcher to post the apps on Twitter.
On July 13, Google removed the last two: Funny Camera and Razer Keyboard & Theme.
