Malware-infested Android apps were caught stealing money — do you have them on your phone?

Phone stealing money
(Image credit: Getty Images)

What's up with cybercriminals' obsession with signing users up for subscriptions behind their backs? Last week, we dove into Microsoft 365 Defense Research Team's report on toll fraud, which involved malicious actors conspiring with phone companies to keep you in the dark about secret subscription sign ups.

Now, cybersecurity firm Evina discovered eight naughty apps that employed similar tactics. All contained a malware bug called Autolycos, which enrolled users for premium services, and consequently, victims unwittingly lost money on a regular basis — and they didn't even realize it.

Autolycos is a vicious, stealthy Android bug

Maxime Ingrao, a security researcher at Evina, discovered Autolycos in at least eight Google Play Store apps in June 2021:

  • Vlog Star Video Editor – 1 million downloads
  • Coco Camera v1.1 – 1,000 downloads
  • Gif Emoji Keyboard – 100,000 downloads
  • Wow Beauty Camera – 100,000 downloads
  • Funny Camera - 500,000 downloads
  • Razer Keyboard & Theme - 50,000
  • Freeglow Camera 1.0.0 – 5,000 downloads
  • Creative 3D Launcher – 1 million downloads

In total, the eight apps were downloaded three million times. According to Ingrao, malicious actors advertised their Autolycos-infested apps on social media. For example, Facebook featured 74 ad campaigns for the Razer Keyboard & Theme app.

So what is Autolycos' modus operandi? As mentioned, it subscribes users to premium services — and victims are none the wiser. What's worse is that Autolycos operates stealthily and sneakily, according to Ingrao, so its malicious presence isn't immediately apparent. To make its actions less noticeable, it executes URL launches on a remote browser. 

In some cases, the malware-infested apps requested permission to read users' SMS content, giving the malicious software access to victims' text messages.

Google didn't remove the apps until the report went public

Interestingly, Ingrao told BleepingComputer that he reported its discovery to Google in June 2021, but due to the search-engine giant's delay in removing the eight malicious apps from the Play Store, Ingrao just disclosed his findings to the public on July 13.

See more

Ingrao's tweets must have lit a fire under Google's butt. Six of the apps had been removed roughly six months after Ingrao first notified Google, but two remained when Ingrao tweeted about it this week. We tried to find all eight apps on the Google Play Store, but fortunately, they have now all been removed.

If you're wondering how you can stay ahead of these wallet-draining, malware-infested Android apps, keep an eye out for suspicious permission requests that don't make any sense. For example, if a video editing app asks for access to your SMS messages, you should be wary. Why the heck would an editing app need to see your texts?

To keep your phone protected from bugs, consider downloading one of the best antivirus apps for mobile devices.

Kimberly Gedeon

Kimberly Gedeon, holding a Master's degree in International Journalism, launched her career as a journalist for MadameNoire's business beat in 2013. She loved translating stuffy stories about the economy, personal finance and investing into digestible, easy-to-understand, entertaining stories for young women of color. During her time on the business beat, she discovered her passion for tech as she dove into articles about tech entrepreneurship, the Consumer Electronics Show (CES) and the latest tablets. After eight years of freelancing, dabbling in a myriad of beats, she's finally found a home at Laptop Mag that accepts her as the crypto-addicted, virtual reality-loving, investing-focused, tech-fascinated nerd she is. Woot!