A new malware family, dubbed Tekya, has infected multiple children’s Android apps, farming ad clicks to earn money. Cybersecurity firm Check Point found that the previously undetected malware was present in 56 apps — 24 of them were targeted towards kids — on Google Play Store. The apps were collectively downloaded over a million times.
The firm noted that these applications mimicked users’ actions on Android to serve ads from networks such as Google’s AdMob, AppLovin’, Facebook, and Unity.
Hackers took advantage of Android’s MotionEvent actions, which record users’ movement through a pen or finger across the screen, to generate clicks.
According to security researchers, Tekya’s code was hidden in the native code of the app, which helped it bypass Google Play Store’s security protocols. After Check Point’s notification, Google removed these apps earlier this month.
Aviran Hazum, Manager of Mobile Research at Check Point, noted this incident highlights Google Play Store’s fallacy to stop malware-infected apps:
To us, the amount of applications targeted and the sheer number of downloads that the actor successfully infiltrated into Google Play is staggering. Combine that with a relatively simple infection methodology, it all sums up to the learning that Google Play Store can still host malicious apps. It is difficult to check if every single application is safe on the Play Store, so users cannot rely on Google Play’s security measures alone to ensure their devices are protected.
In a blog post published in February, Google said it removed over 790,000 suspicious apps before they were updated to Play Store. However, despite these measures, the Play Store often fails to detect malware-laden apps.
Last year, security firm Upstream Systems found adware that was present in 47 applications with more than 78 million users. In February, Check Point revealed Haken family of malware that infected eight apps that had been downloaded over 50,000 times.