It preyed on victims through Facebook ads
Android is definitely not a malware-free platform. If you stumble upon the wrong website and download the wrong APK, things can go haywire pretty quickly. But it’s generally accepted that as long as you get your apps from the Google Play Store, you should be mostly free from malware, especially with initiatives like Play Protect that’s supposed to scan for any hidden baddies. Still, the occasional virus makes its way past Google’s firewall and into users’ phones. One specific piece of malware, dubbed Autolycos, was being bundled in a number of popular apps in the Play Store, resulting in it being downloaded over 3 million times.
The malware was discovered by security researcher Maxime Ingrao (via Bleeping Computer). It was present in at least eight applications, all of which have been taken down by Google as of the time of writing — although it reportedly took the company six months to take action from the initial acknowledgment of the report.
The way it works is that if left to run, the malware will execute URLs on a remote browser and inject it on HTTP requests instead of loading an external WebView. It also requests permission to read SMS content, so the infected apps can read your text messages, giving it leeway to steal things like one-time password codes.
The malicious apps are widely promoted via social media where it reaches users via ad campaigns, most of them on Facebook. Users are lured to download them with the promise of keyboard themes, nice-looking launcher apps, and camera apps with cool filters. In that regard, they’re effective with two of those apps reaching above a million downloads apiece.
Infected apps, which have all been taken down from the Play Store, include:
- Vlog Star Video Editor (com.vlog.star.video.editor, 1 million downloads)
- Creative 3D Launcher (app.launcher.creative3d, 1 million downloads)
- Wow Beauty Camera (com.wowbeauty.camera, 100,000 downloads)
- Gif Emoji Keyboard (com.gif.emoji.keyboard, 100,000 downloads)
- Razer Keyboard & Theme (com.razer.keyboards, 10,000 downloads, not related to the gaming/tech company Razer)
- Freeglow Camera 1.0.0 (com.glow.camera.open, 5,000 downloads)
- Coco Camera v1.1 (com.toomore.cool.camera, 1,000 downloads)
If you’ve (unfortunately) downloaded any of the above apps after you saw it on a Facebook ad, uninstall it right now. Also, don’t download apps from ads, full stop — especially if you don’t know the developer.