Over 50 Android apps on the Google Play Store have been caught using a new trick to secretly click on ads without the knowledge of smartphone users. The ad-fraud malware lurks in dozens of children’s’ and utility apps. In total, the total number of installations of these apps is almost one million worldwide.
A team of researchers from Check Point recently discovered the malware, dubbed Tekya, which imitates user’s actions to click ads from advertising networks such as Google’s AdMob, AppLovin’, Facebook, and Unity.
The collection of the 56 applications that contain the Tekya malware is targeting the younger audience, as they are mainly puzzles and racing games. The rest of the infected apps are utility apps such as calculators, translators and downloaders. Google has since removed the infected offerings.
“Malicious apps are still finding their way onto Google Play,” Check Point warned last month when its researchers had just alerted to the continued threat of Joker malware as well as the new Haken clickers.
“The Tekya malware family went undetected by VirusTotal and Google Play Protect,” Check Point says. The malware’s operators decompiled and cloned genuine, popular apps that were then renamed and put back onto the store with the adware mobile included.
According to researchers, once an infected app is installed, it registers as “us.pyumo.TekyaReceiver,” and can perform multiple actions. These actions include: “BOOT_COMPLETED” to allow code running at device startup; “USER_PRESENT” to detect when the user is actively using the device; and ‘QUICKBOOT_POWERON” to allow code running after device restart.
The receiver, when it detects these events, then proceeded to load a native library named “libtekya.so” that includes a sub-function called “sub_AB2C,” which creates and dispatches touch events, hence mimicking a click via the MotionEvent API.
List of apps infected with the Tekya malware:
15. com.folding.bloc ks.origami.mandala
18. com.ichinyan.fa shies
48. com.mcmccalcu lator.free
If you still have these apps installed on your phone, you’ll have to manually remove them immediately.
Secure Your Organization’s Mind with Securemind.se