Researchers recently discovered a new family of auto clicker malware, one that focuses on mobile ad fraud. The Google Play store had 56 apps infected by this new threat. So far, they were downloaded almost a million times across the world.
A team working at Check Point discovered the malware. Tekya, as it was dubbed, imitates the actions of a user by clicking displays and banners from ad agencies, such as Unity, Facebook, AdMob, AppLovin' to benefit the threat actors. Nearly half of the apps were targeted at children, such as racing games and puzzles. The rest of the infected apps were translators, downloaders, calculators, and other utility apps, according to the researchers. Google took action and removed the infected apps from the store.
The campaign cloned legitimate popular applications, doing this to gain an audience. The apps were mostly aimed at children, as the Tekya malware's primary goal appears to be children's games. Researchers included a list of the infected apps, one that included Cooking Delicious and the Let Me Go puzzle.
Google has been facing much malware on Google Play over the years, with the vendor making a continued effort to get rid of bad apps and malware from the platform. Things have evolved to the point where they started working together with endpoint security companies to stop the flow of malicious apps before they enter their store.
Google cracks down on bad apps and malware
In the middle of February, Google showed it was having success in the fight against malware, mentioning they managed to get rid of 790,000 apps that violate Google policy for app submission. That happened before they were published, so customers were safe from harm or exploitation.
A week later, Check Point researchers found eight apps were spreading a malware strain called Haken. The apps were mostly children's games and camera utilities, with the malware stealing data and signing up victims to premium services without their consent.
The discovery of Tekya shows that even a large company such as Google needs to be even more vigilant than ever against malicious apps sneaking into their services on Google Play.
How the Tekya malware made it inside Google Play
Tekya was advanced enough even to avoid the frequent anti-malware detections used by Check Point and required more work to find, according to researchers. It avoids Google Play Protect by obfuscating its native code. It does this through the feature of an Android feature called MotionEvent, imitating the actions of a user and generating its revenue through clicking ads.
Once the infected app is installed on a device, it registers as "us.pyumo.TekyaReceiver," performing a range of actions from that point forward. The actions start with "BOOT_COMPLETED," allowing code to run whenever the device boots up. "USER_PRESENT" keeps track of user activity and whether anyone is using the device. "QUICKBOOT_POWERON" allows the code to run even after a device reboot. These actions allow the loading of the native library libtekya.so in the libraries folder of the .apk file.
Even during the Check Point investigation, Google Play Protect didn't pick up on the Tekya malware presence, which researchers noted, showed that Google Play may still host malicious apps.