Skip to content
Google has removed 8 Android apps from its Google Play store that were spreading an updated version of the Joker spyware, but not before more than 3m downloads!
French security researcher Maxime Ingrao of cyber-security firm Evina discovered a malware that he dubbed Autolycos that can subscribe users to a premium service as well as access users’ SMS messages,. according to a post he made on Twitter.
Premium Services
This type of malware–in which malicious applications subscribe users to premium services without their knowledge or consent to create payment charges–is called ‘toll fraud malware’, or more usually, fleeceware.
Ingrao stated he discovered 8 applications on the site spreading Autolycos since June 2021 that had created several million downloads. The cyber-criminals behind Autolycos are using Facebook pages & running ads on Facebook & Instagram to promote the malware, he outlined.
“For example, there were 74 ad campaigns for Razer Keyboard & Theme malware,” Ingrao tweeted in one of a series of follow-up posts describing how the malware works.
The ‘Joker’ Rides Again
Ingrao compared the malware to Joker, a spyware discovered in 2019 that also secretly subscribed people to premium services & stole SMS messages, among other bad activities.
After more examination, researchers from Malwarebytes believe the malware is a new variant of Joker–what Malwarebytes refers to as “Android/Trojan.Spy.Joker–Malwarebytes intelligence researcher Pieter Artnz observed by post published 1 day after Ingrao’s information.
Fleeceware
Joker was the 1st major malware families that specialised in in fleeceware, according to Malwarebytes. The trojan hides in the advertisement frameworks used by the malicious apps spreading it; these frameworks build-up & serve in-app ads.
When the apps with Joker were installed, they would show a “splash” screen, which would display the app logo, to deceive victims while performing various malicious processes in the background, such as stealing SMSes & contact lists as well as performing ad fraud & signing people up for subscriptions without their knowledge.
Difference
One difference between the original Joker & Autolycos, however, was pointed out by Ingrao. ”No webview like #Joker but only http requests,” he tweeted.
“It retrieves a JSON (Java Script Object Notation) on the C2 address: 68.183.219.190/pER/y,” Ingrao observed of Autolycos in a tweet.
“It then executes the URLs, for some steps it executes the URLs on a remote browser & returns the result to include it in the requests.”
Malwarebytes’ Artnz also explained this difference more in the post.
HTTP Requests
Whilst Joker used ‘webviews’ —or a piece of Web content, such as “a tiny part of the app screen, a whole page, or anything in between”—to do its stuff, Autolycos avoids this by executing URLs on a remote browser & then including the result in HTTP requests, he wrote.
This helps Autolycos evade detection even better than the original Joker, according to Malwarebytes’ Artnz. “Not requiring a WebView greatly reduces the chances that the user of an affected device notices something fishy is going on,” he revealed.
Lag Time in Discovery & App Removal
The 8 apps in which Ingrao discovered Autolycos are:
- Vlog Star Video Editor (com.vlog.star.video.editor) – 1m downloads
- Creative 3D Launcher (app.launcher.creative3d) – 1m downloads
- Wow Beauty Camera (com.wowbeauty.camera) – 100,000 downloads
- Gif Emoji Keyboard (com.gif.emoji.keyboard) – 100,000 downloads
- Freeglow Camera 1.0.0 (com.glow.camera.open) – 5,000 downloads
- Coco Camera v1.1 (com.toomore.cool.camera) – 1,000 downloads
- Funny Camera by KellyTech – 500,000 downloads
- Razer Keyboard & Theme by rxcheldiolola – 50,000 downloads.
6 Months
While Ingrao discovered the apps in July 2021 & reported them to Google fast, he told Bleeping Computer that the company took 6 months to remove 6 of the apps. Moreover, Google only finally removed the last 2 on July 13, explained Malwarebytes.
Artnz was critical of the lag between discovery & removal, though he did not speculate why, noting that “the small footprint & masked usage of APIs must make it hard to find malicious apps among the multitude of apps that can be found in the Google Play Store.”
Gone Public
“It’s possible the malicious apps would still be available if the researcher hadn’t gone public because he said he got tired of waiting,” Artnz wrote.
Google did not immediately respond to request for comment on Mon. The company has a ‘mixed history’ of struggling to keep malicious apps—in particular fleeceware--off its mobile app store for the Android platform.
