Researchers have discovered a new family of auto-clicker malware that commits mobile ad fraud, lurking in 56 apps on the Google Play store. Collectively, they have been downloaded nearly a million times worldwide.
A team from Check Point Software recently discovered the malware, dubbed Tekya, which imitates a user’s actions to click displays and banners from ad agencies such as Google’s AdMob, AppLovin’, Facebook and Unity to financially benefit the threat actors, Check Point researchers Israel Wernik, Danil Golubenko and Aviran Hazum revealed in a blog post on Tuesday.
Nearly half the apps that contain the malware target children, such as puzzles and racing games, researchers said. The rest of the infected apps are utility apps such as calculators, translators and downloaders, they said. Google has since removed the infected offerings.
“This campaign cloned legitimate popular applications to gain an audience, mostly with children, as most application covers for the Tekya malware are children’s games,” researchers wrote. Researchers included in their post a list of the bad apps, which include the Let Me Go puzzle and Cooking Delicious games.
Google’s uphill battle against malware on Google Play is well known, and the vendor has made a concerted effort in the last couple of years to get rid of bad or unpatched apps and malware. Initiatives to this end include forming an alliance last year with key endpoint security firms to stop malicious apps before they get to the store.
In mid-February, Google revealed it was making headway in its fight against malware, saying that it removed 790,000 apps that violate Google’s policies for app submission last year before they were ever published.
However, a mere week later, Check Point researchers discovered eight apps — mostly again camera utilities and children’s games – spreading a new malware strain dubbed Haken that steals data and signs victims up for expensive premium services.
Now with the discovery of Tekya — which even eluded common anti-malware detections during research by Check Point — it seems that the tech giant likely needs to be even more vigilant in keeping apps on Google Play secure, researchers said.
Tekya avoids detection by Google Play Protect by obfuscating native code. It then uses a feature of Android introduced last year called MotionEvent to imitate a user’s action and generate fraudulent clicks on ad services, researchers said.
Once an infected app is installed, it registers as “us.pyumo.TekyaReceiver,” and can perform multiple actions, researchers described in their post. These actions include: “BOOT_COMPLETED” to allow code running at device startup; “USER_PRESENT” to detect when the user is actively using the device; and ‘QUICKBOOT_POWERON” to allow code running after device restart, researchers said.
“This receiver has one purpose — to load the native library ‘libtekya.so’ in the ‘libraries’ folder inside the .apk file,” they said.
Inside the library, several objects dubbed “validators” are responsible for calling various functions from the library’s code as part of a chain of events that eventually ends with malicious behavior being carried out. For instance, “AdmobValidator'” calls the “c” function, which then runs the “z” function, which then calls the “zzdtxq” function from the native library. A sub-function of zzdtxq, “sub_AB2C,” creates and dispatches touch events, imitating an ad click via the MotionEvent mechanism.
Even during Check Point’s investigation, security protections VirusTotal and Google Play Protect did not pick up the Tekya malware, researchers acknowledged, highlighting again that “the Google Play Store can still host malicious apps” despite advanced protections.
“There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily — making it difficult to check that every single app is safe,” researchers wrote. “Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected.”
