This wallet-draining Android malware has been downloaded millions of times

app security
(Image credit: (Image credit:

Google has removed eight Android apps found to be carrying malware from its mobile app store.

The apps, which include camera apps, video editors, emoji keyboards, and similar, have had more than three million downloads between them, and were reported to the company more than a year ago.

In June 2021, cybersecurity researchers from Evina tracked down the eight apps that were carrying Autolycos, adware that secretly subscribes its users to premium services and, most likely, earns commission, and reported it to Google. 

Red flags everywhere

After acknowledging receiving the report, it took Google six months to act on it, the firm claimed.

Autolycos was described as malware performing “stealthy malicious behavior”, such as executing URLs on a remote browser, and then including the results in HTTPS requests, instead of Webview, to avoid detection by both users and mobile antivirus solutions. 

The key red flag that could have tipped users off, that these were, in fact, malicious apps, was the fact that they requested permission to read SMS content, after installation. 

Usually, permission requests are the best way to spot if an app is malicious, or not. A calculator app does not need access to the contacts list, SMS apps, or similar. 

Another red flag was user reviews on the Play Store. While apps with fewer downloads did have better reviews, thanks to bots, those with more downloads have had plenty of disgruntled and unsatisfied customers expressing their opinions in the comments section.

Autolycos’ operators used social media channels, such as Facebook, to promote and distribute their apps. Just one out of the eight apps discovered has had 74 ad campaigns on Facebook alone. 

Users can monitor suspicious mobile apps by keeping tabs on background internet data and battery consumption. Furthermore, all Android users should keep Play Protect enabled, and make sure they never download apps from unverified sources. Even when downloading from the Play Store, make sure to read the reviews.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.