Microsoft’s 365 Defender team, earlier this month, spotted a malware dubbed as the Toll Fraud malware that is capable of making users subscribe to premium services without their consent. Now, a Evina security researcher, Maxime Ingrao, has spotted another malware that is capable of doing the same, albeit in a slightly different way. Also Read - Twitter confirms hackers took advantage of bug that exposed data of 5.4 million users
Evina, in its report said that the malware, dubbed as Autolycos after the Greek character known as the master of thievery and deceit, subscribes users to premium Direct Carrier Billing (DCB) services without informing users or taking their explicit consent. Also Read - WhatsApp Group members may soon be able to quietly leave a group chat: Here’s how
Unlike Joker malware, Autolycos, does not launch an invisible browser to attack users. Instead it launches fraud attempts by executing http requests without using a browser. “For some steps, it can execute urls on a remote browser and embed these results in the http requests,” the malware research firm wrote in its report adding that it is this behaviour that makes it difficult to detect. Also Read - Google Search with quotes will now show where to find the exact word or phrase
Evina says that the Autolycos malware creates a remote browser and embedding results in http request to make it harder for Google to differentiate apps infected from Autolycos from the genuine apps. “The malware is able to access the verification PIN code by reading the phone’s notifications,” the firm wrote in its report.
What’s more? To increase its reach, the cyber criminals behind the Autolycos malware promoted the infected apps on several Facebook pages. They also ran ads on Facebook and Instagram, which in turn, made the infected apps visible to more users and ultimately lead to more downloads. This ended up ranking the infected apps high on the Google Play Store, which in turn increased their chances of getting downloaded.
Researchers said that although the Autolycos malware originated in South Africa, its traces has already infected apps in Spain, Austria, Poland, Germany, Saudi Arabia, the United Arab Emirates, Malaysia and Thailand.
Found new family of malware that subscribe to premium services 👀
8 applications since June 2021, 2 apps always in Play Store, +3M installs 💀💀
No webview like #Joker but only http requests
Let’s call it #Autolycos 👾#Android #Malware #Evina pic.twitter.com/SgTfrAOn6H
— Maxime Ingrao (@IngraoMaxime) July 13, 2022
Apps infected by Autolycos malware
Ingrao, in a thread on Twitter, said that this malware since its detection back in June 2021 has infected a total of eight apps on the Play Store that have collectively amassed over three million downloads so far. These apps are —
— Razer Keyboard & Theme
— Vlog Star Video Editor
— Funny Camera
— Coco Camera
— Creative 3D Launcher
— GIF Keyboard
— Freeglow Camera
— Wow Camera
How to protect yourself from Autolycos malware
Google has already deleted these apps from Play Store so that new users are unable to download them. If you have downloaded any of these apps, it is advisable that you delete them immediately. Apart from this, it is advisable that users don’t give permission to read SMS contents to apps and enable Google Play Protect on your Android devices.
