Three million Android users may have lost money and had their devices infected by spyware, after the discovery that the official Google Play store has been distributing apps infected by a new family of malware.

French security researcher Maxime Ingrao described last week on Twitter how he had discovered the new malware, named “Autolycos”, and how it signs up users to premium services.

The Autolycos malware, which shares similarities to the Joker spyware, spies on SMS messages, contact lists, and device information, and subscribes unsuspecting users to expensive wireless application protocol (WAP) services.

Affected apps include Funny Camera by KellyTech (which has been installed over 500,000 times from the Google Play Store) and Razer Keyboard & Theme by rxcheldiolola (more than 50,000 installs).

Other malicious apps, which have since been removed from the Google Play Store, include:

  • Vlog Star Video Editor (1 million installs)
  • Creative 3D Launcher (1 million installs)
  • Wow Beauty Camera (100,000 installs)
  • Gif Emoji Keyboard (100,000 installs)
  • Freeglow Camera (5,000 installs)
  • Coco Camera v1.1 (1,000 installs)

According to Ingrao, some of the malicious apps have been promoted to the public via Facebook and Instagram ads.

Ingrao says that Autolycos-poisoned apps have been available on the official Android marketplace since June 2021, during which time they have been installed over three million times, but they have only recently been pulled by Google. Questions will inevitably be asked whether Google is doing a good enough job of checking apps that are made available via its marketplace to many millions of users.

As we have mentioned before, there are steps all Android users should be taking to reduce the chances of encountering malware. These include:

  • Keep your Android device up-to-date with the latest official security patches.
  • Turn on Google Play Protect – Google’s built-in malware protection for Android, which automatically scans your device.
  • Download your apps from official sources, such as the Google Play Store – not unofficial app stores. This wouldn’t have helped in this particular case, but as a general rule the Google Play Store is considered safer than third-party marketplaces.
  • Check reviews of apps before downloading them, although bear in mind that there have been instances where criminals have posted bogus reviews in an attempt to dupe users into trusting that an app can be considered safe.
  • Think carefully about whether you should accept the permissions an app requests upon installation.
  • Consider running an anti-virus program from a legitimate security firm on your Android device.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.