What's up with cybercriminals' obsession with signing users up for subscriptions behind their backs? Last week, we dove into Microsoft 365 Defense Research Team's report on toll fraud, which involved malicious actors conspiring with phone companies to keep you in the dark about secret subscription sign ups.
Now, cybersecurity firm Evina discovered eight naughty apps that employed similar tactics. All contained a malware bug called Autolycos, which enrolled users for premium services, and consequently, victims unwittingly lost money on a regular basis — and they didn't even realize it.
Autolycos is a vicious, stealthy Android bug
Maxime Ingrao, a security researcher at Evina, discovered Autolycos in at least eight Google Play Store apps in June 2021:
- Vlog Star Video Editor – 1 million downloads
- Coco Camera v1.1 – 1,000 downloads
- Gif Emoji Keyboard – 100,000 downloads
- Wow Beauty Camera – 100,000 downloads
- Funny Camera - 500,000 downloads
- Razer Keyboard & Theme - 50,000
- Freeglow Camera 1.0.0 – 5,000 downloads
- Creative 3D Launcher – 1 million downloads
In total, the eight apps were downloaded three million times. According to Ingrao, malicious actors advertised their Autolycos-infested apps on social media. For example, Facebook featured 74 ad campaigns for the Razer Keyboard & Theme app.
So what is Autolycos' modus operandi? As mentioned, it subscribes users to premium services — and victims are none the wiser. What's worse is that Autolycos operates stealthily and sneakily, according to Ingrao, so its malicious presence isn't immediately apparent. To make its actions less noticeable, it executes URL launches on a remote browser.
In some cases, the malware-infested apps requested permission to read users' SMS content, giving the malicious software access to victims' text messages.
Google didn't remove the apps until the report went public
Interestingly, Ingrao told BleepingComputer that he reported its discovery to Google in June 2021, but due to the search-engine giant's delay in removing the eight malicious apps from the Play Store, Ingrao just disclosed his findings to the public on July 13.
Found new family of malware that subscribe to premium services 👀8 applications since June 2021, 2 apps always in Play Store, +3M installs 💀💀No webview like #Joker but only http requestsLet’s call it #Autolycos 👾#Android #Malware #Evina pic.twitter.com/SgTfrAOn6HJuly 13, 2022
Ingrao's tweets must have lit a fire under Google's butt. Six of the apps had been removed roughly six months after Ingrao first notified Google, but two remained when Ingrao tweeted about it this week. We tried to find all eight apps on the Google Play Store, but fortunately, they have now all been removed.
If you're wondering how you can stay ahead of these wallet-draining, malware-infested Android apps, keep an eye out for suspicious permission requests that don't make any sense. For example, if a video editing app asks for access to your SMS messages, you should be wary. Why the heck would an editing app need to see your texts?
To keep your phone protected from bugs, consider downloading one of the best antivirus apps for mobile devices.
