Android malware caught infecting Play Store apps for kids

Another day, another Android malware – This time, a new malware family named Tekya has been caught committing advertising fraud.
Malware family generated fake ad clicks in 66 apps on Android

Another day, another Android malware – Earlier today, researchers from Checkpoint released a report detailing a new malware family named Tekya committing advertising fraud.

The process involved unauthorized clicks on ads displayed within the applications in order to make the attackers earn money. These ads were displayed from networks such as Admob, Facebook, Unity & AppLovin’ representing a reasonably high reach.

Currently, the apps infected number 66 and had been downloaded 1 million times. 24 of these 66 were children apps comprising of games & puzzles while the rest are mostly utility ones including calculators, translators, etc.

How Tekya works is by hiding the native code of the applications it infects which allows it to evade Google’s in-built PlayProtect mechanism and VirusTotal as well. Then it makes use of a MotionEvent feature in Android released back in 2019 allowing it to “imitate the user’s actions and generate clicks.”

An image of 2 of the apps on the Play Store before being removed:


An image of 2 of the apps on the Play Store before being removed: Checkpoint
Image via Checkpoint

Currently, though, all of these apps have been removed from Google Play Store leaving us a lesson for the future. Concerns still remain for the fact though that Google has repeatedly failed to vet malicious apps as well as its arch-rival – the Apple App Store. This hints at a need for a new mechanism to verify the hundreds of apps uploaded daily to its platform amongst the existing 3 million+ ones.

This highlights once again that the Google Play Store can still host malicious apps. There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily – making it difficult to check that every single app is safe. Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected, wrote CheckPoint in their blog post.

To conclude, previously we’ve also seen the Haken malware family in February 2020 utilize native code to bypass Google’s security and so it remains a lasting problem. The best way to steer clear from such infections is to only download applications from highly reputable developers, install an antivirus app and always keep your Android version updated.

Infected Children Games(26)

  1. caracal.raceinspace.astronaut
  3. com.leo.letmego
  4. com.pantanal.aquawar
  5. com.pantanal.dressup
  6. banz.stickman.runner.parkour
  7. com.banzinc.littiefarm
  8. com.folding.blocks.origami.mandala
  9. com.goldencat.hillracing
  10. com.hexa.puzzle.hexadom
  12. com.maijor.cookingstar
  13. com.major.zombie
  14. com.nyanrev.carstiny
  15. com.pantanal.stickman.warrior
  16. com.splashio.mvm
  17. leo.unblockcar.puzzle
  18. biaz.jewel.block.puzzle2019
  19. biaz.magic.cuble.blast.puzzle
  20. com.inunyan.breaktower
  21. com.leo.spaceship
  22. fortuneteller.tarotreading.horo
  23. ket.titan.block.flip
  24. com.leopardus.happycooking
  25. com.caracal.burningman
  26. com.cuvier.amazingkitchen

Infected Utility Apps(40)

  1. com.caculator.biscuitent
  4. travel.withu.translate
  5. allday.a24h.translate
  6. best.translate.tool
  7. com.bestcalculate.multifunction
  8. com.mimochicho.fastdownloader
  9. com.pdfreader.biscuit
  10. com.yeyey.translate
  13. multi.translate.threeinone
  14. pro.infi.translator
  15. rapid.snap.translate
  16. smart.language.translate
  18. biscuitent.imgdownloader
  19. biscuitent.instant.translate
  20. com.besttranslate.biscuit
  22. mcmc.ebook.reader
  23. swift.jungle.translate
  25. com.tapsmore.challenge
  27. com.hexamaster.anim
  28. com.twmedia.downloader
  29. bis.wego.translate
  30. com.arplanner.sketchplan
  31. com.arsketch.quickplan
  33. com.lulquid.calculatepro
  35. com.titanyan.igsaver
  37. md.titan.translator
  39. toolbox.artech.helpful
  40. toolkit.armeasure.translate

We still hope Google implements additional measures in the future to curb such attacks from Google Play Store even if policing third-party stores may not be possible. Further, it is advised to check if you have downloaded any one of the 66 apps infected in the past from the list below obtained from Checkpoint and delete them.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts