Malicious Android Apps Targeting Children On Google Play Infected 1.7 Million More Devices

Popup skull

After experiencing multiple incidents where fraudulent apps making their way to the Google Play store, more malicious apps are again found on the official Android store.

This time, researchers from Check Point found 56 apps, most of which target children, that contain the 'Tekya' malware to deliver fraudulent clicks on ads and banners delivered by agencies like Google's AdMob, AppLovin', Facebook and Utility.

And to give the clicks the authenticity to be registered as valid, the malware uses Android's MotionEvent mechanism to imitate legitimate user action.

24 of the 56 apps that contained Tekya were marketed to children, with apps ranging from puzzles to racing games. The rest were utility apps, like cooking apps, downloaders, calculators and so on.

Before Check Point discovered them, the apps went undetected by VirusTotal and Google Play Protect.

After the researchers reported them, Google removed all 56 of the apps.

According to the researchers at Check Point in a blog post:

"Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices. Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location."

"Recently, Check Point’s researchers identified a new malware family that was operating in 56 applications and downloaded almost 1 million times worldwide."

The researchers said that the malicious actors managed to make their apps harder to detect, by not developing their apps using Java to implement logic, and instead developed them using native Android code (typically C and C++ programming languages).

While Java can give developers the easiness of accessing multiple layers of abstractions, native code by contrast, is implemented in a much lower level.

As a result, apps with native code is more difficult to compile, making things harder for Google to detect their fraudulent schemes.

Android with Tekya malware - examples
Two of the fraudulent apps found by the researchers. (Credit: Check Point)

According to the researchers, when the apps are installed, the malware contained within will register a broadcast receiver that carries out multiple actions, including:

  • BOOT_COMPLETED to allow code running at device startup (“cold” startup).
  • USER_PRESENT in order to detect when the user is actively using the device.
  • QUICKBOOT_POWERON to allow code running after device restart.

The purpose of the receiver is to load the native library libtekya.so in the libraries folder inside the .apk file of each app.

The discovery once again highlight that Google Play Store is not yet free from malicious apps.

Check Point researchers Israel Wernik, Danil Golubenko and Aviran Hazum in their blog post said that there are nearly 3 million apps hosted in the store, with hundreds of new ones being uploaded daily. Google can scan and detect a large percentage of malicious apps submitted to the Play Store, but with the high number of apps submitted to Google Play Store, it's difficult for Google to guarantee users' safety.

"Users cannot rely on Google Play’s security measures alone to ensure their devices are protected,” the researchers said.

As always, Android users should be highly selective in the apps they install.

Published: 
31/03/2020