This article was published on July 15, 2022

Researcher discovered app malware on Google Play that steals your money

Infected apps have been downloaded over 3 million times


Researcher discovered app malware on Google Play that steals your money
Ioanna Lykiardopoulou
Story by

Ioanna Lykiardopoulou

Ioanna is a writer at SHIFT. She likes the transition from old to modern, and she's all about shifting perspectives. Ioanna is a writer at SHIFT. She likes the transition from old to modern, and she's all about shifting perspectives.

Maxime Ingrao, security researcher at cybersecurity company Evina, has discovered a new malware family that can infect Android apps on Google Play.

It’s named Autolycos — from the homonymous Greek mythological figure, known for his mastery in thievery and deceit. And that’s exactly what the malware does.

Since June 2021, Ingrao has identified eight infected apps on Play Store — downloaded over three million times.


How does Autolycos work?

According to Evina’s report, the main goals of Autolycos is to subscribe users to premium Direct Carrier Billing (DCB) services, without their knowledge or consent.

Unlike the Joker malware that launches an invisible browser and uses Webview, Autolycus launches fraud attempts by executing http requests without using a browser.

For some steps, it can execute the urls on a remote browser and embed the results in the http requests.

Here’s how Autolycos is able to access a verification PIN code by reading a phone’s notifications:

Autolycos malware
Credit: Evina

The malware’s mode operation makes it hard for Google to differentiate infected apps from legitimate ones. That’s why it’s been undetected for so long.

To defraud as many users as possible, the cybercriminals behind the Autolycos promote the apps on Facebook pages and run Facebook and Instagram apps.

Ingrao identified 74 ad campaigns for one of the infected apps: the Razer Keyboard & Theme app.


Traces have also been found in Asia and various European countries, including Spain, Austria, Poland, and Germany — indicating an alarming expansion.

Which are the infected apps?

Evina and Ingao have shared a list with the eight apps were the malware was found:

  1. Razer Keyboard & Theme — 10,000+ downloads
  2. Vlog Star Video Editor — 1,000,000+ downloads
  3. Funny Camera — 500,000+ dowloads
  4. Coco Camera — 1,000+ downloads
  5. Creative 3D Launcher — 1,000,000+ downloads
  6. GIF Keyboard — 100,000+ downloads
  7. Freeglow Camera — 5,000+ downdoads
  8. Wow Camera — 100,00+ downloads

Interestingly, Ingao told BleepingComputer that he notified Google already in June 2021. Although the company acknowledged receiving the report, it took a ridiculously long six months to remove the first set of six apps, which led the researcher to go public on Twitter.

On July 13, Google removed the last two: Funny Camera and Razer Keyboard & Theme. If you want to check what the apps looked like, you can find them in Evira’s report.

I discovered, however, an app that looks suspiciously similar to the removed Vlog Star Video Editor.

It shares the exact same picture and description, only now it’s called Vlog Star Video Maker.

Take a look:

autolycos malware app

This means that even if the identifiedapps were removed, we should be vigilant as the fraudsters behind the malware might continue introducing infected apps.

How to protect yourselves

There’s no bulletproof strategy for avoiding app malware, but that there are some simple steps you can take:

  1. Don’t give apps permission to read your SMS content upon installation. Check also third-party data sharing permissions.
  2. Read the reviews!
  3. Keep Play Protect active.
  4. Don’t download any app lightly.
  5. Delete apps you no longer use.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with