Ingrao explains that Autolycos manages without Webview in order to minimize its footprint and thus the risk of discovery. Instead, the malware accesses URLs directly via http requests and receives their address from the command and control servers (C2) using JSON. In some cases, the browser is located on the C2 servers and then only returns the results.
Professional action
The malware programmers succeeded so well in concealing the malware that Google’s automated analysis systems did not notice the malicious functions. After the notification, however, the apps are now no longer available. They should also have been removed from affected devices using Google Play Protect.
Ingrao goes on to explain that the masterminds behind the malware even advertised the malicious apps. The scammers created Facebook pages for the apps and promoted them on both Facebook and Instagram.
The Android malware arrived on the phone with the following eight apps:
- Creative 3D Launcher (app.launcher.creative3d), more than a million downloads
- Vlog Star Video Editor (com.vlog.star.video.editor), more than a million downloads
- Funny Camera by KellyTech (com.okcamera.funny), more than 500,000 downloads
- Gif Emoji Keyboard (com.gif.emoji.keyboard), more than 100,000 downloads
- Wow Beauty Camera (com.wowbeauty.camera), more than 100,000 downloads
- Razer Keyboard & Theme by rxcheldiolola (com.razer.keyboards), more than 10,000 downloads
- Freeglow Camera (com.glow.camera.open), more than 5,000 downloads
- Coco Camera (com.toomore.cool.camera), more than 1,000 downloads
To be on the safe side, Android users should check whether any of these apps are present on their device and remove them. You should also activate the Google Play Protect service if it has been deactivated so that apps identified as harmful can be automatically deleted from the smartphone.
