Autolycos Android Malware Attracted Huge Downloads On Play Store

Attention Android users! Researchers have found new Android malware in the wild which even appeared on the Google Play Store. Identified as “Autolycos”, this Android malware impersonated several apps to surface on Play Store and garner huge downloads.

About Android Autolycos Malware

Through a recent Twitter feedSecurity researcher Maxime Ingrao from Evina Security has shared details about a new malware campaign targeting Android users.

The researcher named the malware “Autolycos”, which carried out dedicated infectious campaigns in the wild by impersonating different applications. While this is obvious for mobile malware, what made Autolycos dangerous was its appearance on the official Google Play Store.

Despite Google’s stringent security checks, Autolycos malware managed to sneak into the Play Store to lure users in. Such intrusions suggest that Android users may blindly trust apps on the Play Store unless they know the app’s developer.

Ingrao explained that the malware has existed on the Play Store through at least 8 different apps since June 2021. All of these apps attracted a large number of downloads, two of which even had over 3 million installs.

This malware sneakily subscribes victims to premium services (and therefore behaves like fleeceware). In this way, it draws money from the victims while remaining under the radar, which makes it difficult for the victim to detect and stop the infection.

Regarding how the malware works, the researcher said in his tweet,

It retrieves a JSON on the C2 address: 68.183.219.190/pER/y
It then executes the urls, for some steps it executes the urls on a remote browser and returns the result to include in requests
This allows him not to have a Webview and to be more discreet

To boost the legitimacy of the rogue apps distributing the malware, the threat actors behind the Autolycos malware have also set up dedicated social media pages for promotions.

More technical details about the malware and its in-the-wild campaigns are available in Evina’s detailed report.

Some rogue apps still exist

After detecting the malware, the researcher reported the malicious apps to Google for further action. The researcher shared the list of these apps in this tweet.

Ironically, it took the company several months to remove these apps. Yet one of them, “Funny Camera” (com.okcamera.funny), continues to exist on the Play Store.

This means that users must be very careful when encountering this application. Moreover, if they have downloaded malicious apps, users have to rush to remove the app from their devices. While as a precaution users should always avoid downloading apps from unknown, untrustworthy or new developers even if they boast huge downloads or reviews.

Comments are closed.