Another day, another Android malware – Earlier today, researchers from Checkpoint released a report detailing a new malware family named Tekya committing advertising fraud.
The process involved unauthorized clicks on ads displayed within the applications in order to make the attackers earn money. These ads were displayed from networks such as Admob, Facebook, Unity & AppLovin’ representing a reasonably high reach.
Currently, the apps infected number 66 and had been downloaded 1 million times. 24 of these 66 were children apps comprising of games & puzzles while the rest are mostly utility ones including calculators, translators, etc.
How Tekya works is by hiding the native code of the applications it infects which allows it to evade Google’s in-built PlayProtect mechanism and VirusTotal as well. Then it makes use of a MotionEvent feature in Android released back in 2019 allowing it to “imitate the user’s actions and generate clicks.”
An image of 2 of the apps on the Play Store before being removed:
Currently, though, all of these apps have been removed from Google Play Store leaving us a lesson for the future. Concerns still remain for the fact though that Google has repeatedly failed to vet malicious apps as well as its arch-rival – the Apple App Store. This hints at a need for a new mechanism to verify the hundreds of apps uploaded daily to its platform amongst the existing 3 million+ ones.
This highlights once again that the Google Play Store can still host malicious apps. There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily – making it difficult to check that every single app is safe. Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected, wrote CheckPoint in their blog post.
To conclude, previously we’ve also seen the Haken malware family in February 2020 utilize native code to bypass Google’s security and so it remains a lasting problem. The best way to steer clear from such infections is to only download applications from highly reputable developers, install an antivirus app and always keep your Android version updated.
Infected Children Games(26)
- caracal.raceinspace.astronaut
- com.caracal.cooking
- com.leo.letmego
- com.pantanal.aquawar
- com.pantanal.dressup
- banz.stickman.runner.parkour
- com.banzinc.littiefarm
- com.folding.blocks.origami.mandala
- com.goldencat.hillracing
- com.hexa.puzzle.hexadom
- com.ichinyan.fashion
- com.maijor.cookingstar
- com.major.zombie
- com.nyanrev.carstiny
- com.pantanal.stickman.warrior
- com.splashio.mvm
- leo.unblockcar.puzzle
- biaz.jewel.block.puzzle2019
- biaz.magic.cuble.blast.puzzle
- com.inunyan.breaktower
- com.leo.spaceship
- fortuneteller.tarotreading.horo
- ket.titan.block.flip
- com.leopardus.happycooking
- com.caracal.burningman
- com.cuvier.amazingkitchen
Infected Utility Apps(40)
- com.caculator.biscuitent
- inferno.me.translator
- translate.travel.map
- travel.withu.translate
- allday.a24h.translate
- best.translate.tool
- com.bestcalculate.multifunction
- com.mimochicho.fastdownloader
- com.pdfreader.biscuit
- com.yeyey.translate
- mcmc.delicious.recipes
- mcmc.delicious.recipes
- multi.translate.threeinone
- pro.infi.translator
- rapid.snap.translate
- smart.language.translate
- sundaclouded.best.translate
- biscuitent.imgdownloader
- biscuitent.instant.translate
- com.besttranslate.biscuit
- com.michimocho.video.downloader
- mcmc.ebook.reader
- swift.jungle.translate
- com.mcmccalculator.free
- com.tapsmore.challenge
- com.yummily.healthy.recipes
- com.hexamaster.anim
- com.twmedia.downloader
- bis.wego.translate
- com.arplanner.sketchplan
- com.arsketch.quickplan
- com.livetranslate.best
- com.lulquid.calculatepro
- com.smart.tools.pro
- com.titanyan.igsaver
- hvt.ros.digiv.weather.radar
- md.titan.translator
- scanner.ar.measure
- toolbox.artech.helpful
- toolkit.armeasure.translate
We still hope Google implements additional measures in the future to curb such attacks from Google Play Store even if policing third-party stores may not be possible. Further, it is advised to check if you have downloaded any one of the 66 apps infected in the past from the list below obtained from Checkpoint and delete them.
Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.