“Malicious apps are still finding their way onto Google Play,” leading cyber security firm Check Point warned last month. At the time, its researchers had just alerted to the continued menace of Joker malware as well as the new threat of Haken clickers, hiding from Google’s defenses through the use of native Android code. Now, the same team has issued a new warning, a different malware family dubbed Tekya, but using that same native code subterfuge as Haken to slip the security net.
“I really believe,” Check Point’s Aviran Hazum tells me, “that this demonstrates the capability of malicious actors to adapt and overcome current obstacles to reach a wider audience by infiltrating Google Play and overcoming the analysis process by Google. Those two malware families combined (Haken and Tekya) show the ability of Google Play protect to not detect native code malware.”
Android users are now being warned that 66 apps used this native code trick to beat Google’s Play Store screening system, apps installed more than one million times. And what’s worse, much worse, is that 26 of those apps were targeted at kids—racing games and puzzled, even pretend chef games. The rest were pointless, easy to live without utilities—translates, calculators, ebook readers.
According to Check Point, many of the infected apps were removed by Google after it submitted its findings. the rest were pulled by the malicious operator itself once it realised the game, so to speak, was up. Google had no comment on the malware, but did confirm that the apps had all been dropped from Play Store. Those apps are listed below—if you have any installed, delete them now.
All 66 apps were designed to commit ad fraud, essentially fraudulent clicks at the expense of advertisers to generate a healthy return for their operators. According to Check Point, these 66 apps alone had the potential to generate millions of dollars. And such apps fit right into the mainstream, these accessed “ads and banners from agencies like Google’s AdMob, AppLovin’, Facebook, and Unity.
The malware works by accessing Androids “MotionEvent” function, mimicking a user’s movement, tricking the ad into thinking it’s been clicked. “The Tekya malware family went undetected by VirusTotal and Google Play Protect,” Check Point says. The malware’s operators decompiled and cloned genuine, popular apps which were then renamed and put back onto the store with the adware mobile included.
“This highlights once again that the Google Play Store can still host malicious apps,” Check Point warns. “There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily—making it difficult to check that every single app is safe. Users cannot rely on Google Play’s security measures alone to ensure their devices are protected.”
Adware such as this is often dismissed as more nuisance than threat. But a bad app is a bad app, and once there’s a backdoor open onto your device you are vulnerable. Some weeks ago, Google dumped a mass of apps it claimed to be perpetuating just such fraud, many of which belonged to one listed Chinese developer. This is clearly a serious issue and for threat actors to be finding security gaps is a concern.
“If they just update the native code they can do whatever they want,” Hazum warns, “from clickers to bankers to MRATs (mobile remote access trojans). The ecosystem supports it. If the current state of Google Play remains the same, we will see more malware adapting to those techniques.”
Just a few days ago, Google announced that higher profile users of its platforms, those enrolled in its Advanced Protection Program, would no longer be allowed to install apps from any sores bar the Play Store. Reports such as this one illustrate that risks still remain despite such protections. The onus remains with users to take care with they install, avoiding trivial apps, including, it seems, kids games.
The list of infected kids’ games is here:
And the list of infected utility apps is here: