Google retrieved 60 malware-infected apps from the Play Store, installed by more than 3.3 million tippers, which can be used for all kinds of criminal activities, including identity theft, espionage and even stealing money from victims.
Zscalers ThreatLabZ and security researcher Maxime Ingrao from the fraud protection company Evina discovered the download apps filled with nasty software including Joker, Facestealer, Coper and Autolyco’s malware – the latter is a new family, according to Ingrao, which named and discovered Autolycos in eight different apps with more than three million downloads for Android devices.
The new malware strain, similar to the Joker, steals text messages when downloaded and also subconsciously subscribes to users – and charges to use – premium wireless application protocol services, Ingrao twitret.
Found a new family of malicious software that subscribes to first-class services 👀8 applications since June 2021, 2 apps always in the Play Store, +3 million installations 💀💀No web view that #Joker but only http requestsLet’s call it #Autolycos 👾#Android #Damage #Evina pic.twitter.com/SgTfrAOn6H
– Maxime Ingrao (@IngraoMaxime) July 13, 2022
This spyware is designed to steal SMS messages, contact lists and device information, and to detect the victim of premium wireless application protocol (WAP) services.
“It retrieves a JSON at the C2 address: 126.96.36.199/pER/y,” he further explained. “Then it executes the URLs, for some steps it runs the URLs of a remote browser and returns the result to include it in the requests. This means that it does not have a web view and to be more discreet.”
In addition, scammers created Facebook and Instagram ads to promote the fake applications, Ingrao noticed.
The malicious apps include:
- Vlog Star Video Editor – 1 million downloads
- Creative 3D Launcher – 1 million downloads
- Wow Beauty Camera – 100,000 downloads
- Gif Emoji Keyboard – 100,000 Downloads
- Freeglow Camera – 5000 downloads
- Coco Camera v1.1 – 1000 downloads
- Fun camera – 500,000 downloads
- Razer keyboard and theme – 50,000 downloads
Joker, Facestealer and Coper reappear
Meanwhile, Zscaler’s threat hunters said this week that Google removed another 52 malware-infected apps in the Play Store, 50 of which were used to deploy the Joker, which has been an ongoing issue for Android devices. They also discovered Facestealer and Coper malware in two other malicious apps, and they have also been launched from the online marketplace.
The Joker distribution apps were downloaded more than 300,000 times, according to security researchers Viral Gandhi and Himanshu Sharma, who provided a technical analysis of the three malware family’s payloads and listed all 50 Joker downloaders on a ThreatLabZ blog post.
“Despite public awareness of this specific malware, it is constantly finding its way into Google’s official app store by regularly modifying the malware’s tracking signatures, including updates to the code, execution methods and payload techniques,” Gandhi and Sharma wrote.
Once downloaded, Joker malware steals SMS messages, contact lists and device information and also unknowingly reports the victim for premium services.
“Threat actors most often hide Joker malware in messaging applications that require users to grant escalated access permissions by allowing them to act as the default SMS app on the user’s phone,” the threat hunters noted. “Malware uses these advanced permissions to perform its operations.”
In addition, Zscaler discovered that Facestealer was hiding in the now-removed cam.vanilla.snap app on the Google Play Store, which had 5,000 downloads. This malware targets Facebook users via fake Facebook login pages to steal credentials. And finally, the security team also discovered the bank trojan Coper disguised as a Unicc QR Scanner app.
Once downloaded, this app releases the Coper malware infection that is capable of intercepting and sending SMS text messages, sending USSD (Unstructured Supplementary Service Data) requests to send messages, key logging, locking / unlocking the device screen “Perform excessive attacks, prevent uninstallations, and generally allow attackers to take control and execute commands on infected devices remotely with a C2 server,” Gandhi and Sharma wrote. ®