Tekya is a family of malware that generates fraudulent clicks on ads and banners delivered by agencies including Google’s AdMob, AppLovin ‘, Facebook, and Unity. To give the clicks the air of authenticity, the well-obfuscated code causes infected devices to use Android’s “MotionEvent” mechanism to imitate legitimate user actions. At the time researchers from security firm Check Point discovered them, the apps went undetected by VirusTotal and Google Play Protect. Twenty-four of the apps that contained Tekya were marketed to children. Google removed all 56 of the apps after Check Point reported them.
The discovery “highlights once again that the Google Play Store can still host malicious apps,” Check Point researchers Israel Wernik, Danil Golubenko, and Aviran Hazum wrote in a
post published on Tuesday . “There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily – making it difficult to check that every single app is safe. Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected. ”
Going native
To make the malicious behavior harder to detect, the apps were written in native Android code — typically in the C and C programming languages. Android apps usually use Java to implement logic. The interface of that language provides developers with the ease of accessing multiple layers of abstraction. Native code, by contrast, is implemented in a much lower level. While Java can easily be decompiled — a process that converts binaries back into human-readable source code — it’s much harder to do this with native code.
Once installed, the Tekya apps register a broadcast receiver that carries out multiple actions, including:
BOOT_COMPLETED to allow code running at device startup (“cold” startup)
- USER_PRESENT in order to detect when the user is actively using the device QUICKBOOT_POWERON to allow code running after device restart
- The sole purpose of the receiver is to load the native library ‘libtekya.so’ in the libraries folder inside the .apk file of each app. The Check Point post provides much more technical detail on how the code works. Google representatives confirmed the apps have been removed from Play.
But wait. . . there’s more
Separately, antivirus provider Dr. Web on Tuesday reported the (discovery of an undisclosed number of Google Play apps
The Dr.Web post didn’t name all of the apps that contained Android.Circle.1. The handful of apps identified were: Wallpaper Black — Dark Background, Horoscope 2020 – Zodiac Horoscope, Sweet Meet, Cartoon Camera, and Bubble Shooter. Google removed all of the apps Dr. Web reported. The 90 apps discovered by Check Point, meanwhile, are in Tuesday’s Check Point post, which again is located
here .
Android devices often uninstall apps after they’re found to be malicious, but the mechanism doesn’t always work as intended . Readers may want to check their devices to see if they have been infected. As always, readers should be highly selective in the apps they install. No doubt, Google scans detect a large percentage of malicious apps submitted to Play, but a significant number of users continue to get infected with malware that goes that bypass those checks.
- The sole purpose of the receiver is to load the native library ‘libtekya.so’ in the libraries folder inside the .apk file of each app. The Check Point post provides much more technical detail on how the code works. Google representatives confirmed the apps have been removed from Play.
GIPHY App Key not set. Please check settings