#parent | #kids | Google Just Dumped All These ‘Malicious’ Games From Play Store

“Malicious apps are still finding their way onto Google Play,” leading cyber security firm Check Point warned last month. At the time, its researchers had just alerted to the continued menace of Joker malware as well as the new threat of Haken clickers, hiding from Google’s defenses through the use of native Android code. Now, the same team has issued a new warning, a different malware family dubbed Tekya, but using that same native code subterfuge as Haken to slip the security net.

“I really believe,” Check Point’s Aviran Hazum tells me, “that this demonstrates the capability of malicious actors to adapt and overcome current obstacles to reach a wider audience by infiltrating Google Play and overcoming the analysis process by Google. Those two malware families combined (Haken and Tekya) show the ability of Google Play protect to not detect native code malware.”

Android users are now being warned that 66 apps used this native code trick to beat Google’s Play Store screening system, apps installed more than one million times. And what’s worse, much worse, is that 26 of those apps were targeted at kids—racing games and puzzled, even pretend chef games. The rest were pointless, easy to live without utilities—translates, calculators, ebook readers.

According to Check Point, many of the infected apps were removed by Google after it submitted its findings. the rest were pulled by the malicious operator itself once it realised the game, so to speak, was up. Google had no comment on the malware, but did confirm that the apps had all been dropped from Play Store. Those apps are listed below—if you have any installed, delete them now.

All 66 apps were designed to commit ad fraud, essentially fraudulent clicks at the expense of advertisers to generate a healthy return for their operators. According to Check Point, these 66 apps alone had the potential to generate millions of dollars. And such apps fit right into the mainstream, these accessed “ads and banners from agencies like Google’s AdMob, AppLovin’, Facebook, and Unity.

The malware works by accessing Androids “MotionEvent” function, mimicking a user’s movement, tricking the ad into thinking it’s been clicked. “The Tekya malware family went undetected by VirusTotal and Google Play Protect,” Check Point says. The malware’s operators decompiled and cloned genuine, popular apps which were then renamed and put back onto the store with the adware mobile included.

“There’s nothing malicious about native code,” Hazum explains, “but in this case the entire malicious code within Tekya is in native code. Most applications implement javascript, accessing multiple instructions and APIs. Native code does not have all that—it’s a lower level language. It’s a lot harder to analyze native code. Because all the malicious code in Tekya is native code. It was able to bypass Google Protect.”

“This highlights once again that the Google Play Store can still host malicious apps,” Check Point warns. “There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily—making it difficult to check that every single app is safe. Users cannot rely on Google Play’s security measures alone to ensure their devices are protected.”

Adware such as this is often dismissed as more nuisance than threat. But a bad app is a bad app, and once there’s a backdoor open onto your device you are vulnerable. Some weeks ago, Google dumped a mass of apps it claimed to be perpetuating just such fraud, many of which belonged to one listed Chinese developer. This is clearly a serious issue and for threat actors to be finding security gaps is a concern.

“If they just update the native code they can do whatever they want,” Hazum warns, “from clickers to bankers to MRATs (mobile remote access trojans). The ecosystem supports it. If the current state of Google Play remains the same, we will see more malware adapting to those techniques.”

Just a few days ago, Google announced that higher profile users of its platforms, those enrolled in its Advanced Protection Program, would no longer be allowed to install apps from any sores bar the Play Store. Reports such as this one illustrate that risks still remain despite such protections. The onus remains with users to take care with they install, avoiding trivial apps, including, it seems, kids games.

The list of infected kids’ games is here:

  1. caracal.raceinspace.astronaut
  2. com.caracal.cooking
  3. com.leo.letmego
  4. com.pantanal.aquawar
  5. com.pantanal.dressup
  6. banz.stickman.runner.parkour
  7. com.banzinc.littiefarm
  8. com.folding.blocks.origami.mandala
  9. com.goldencat.hillracing
  10. com.hexa.puzzle.hexadom
  11. com.ichinyan.fashion
  12. com.maijor.cookingstar
  13. com.major.zombie
  14. com.nyanrev.carstiny
  15. com.pantanal.stickman.warrior
  16. com.splashio.mvm
  17. leo.unblockcar.puzzle
  18. biaz.jewel.block.puzzle2019
  19. biaz.magic.cuble.blast.puzzle
  20. com.inunyan.breaktower
  21. com.leo.spaceship
  22. fortuneteller.tarotreading.horo
  23. ket.titan.block.flip
  24. com.leopardus.happycooking
  25. com.caracal.burningman
  26. com.cuvier.amazingkitchen

And the list of infected utility apps is here:

  1. com.caculator.biscuitent
  2. inferno.me.translator
  3. translate.travel.map
  4. travel.withu.translate
  5. allday.a24h.translate
  6. best.translate.tool
  7. com.bestcalculate.multifunction
  8. com.mimochicho.fastdownloader
  9. com.pdfreader.biscuit
  10. com.yeyey.translate
  11. mcmc.delicious.recipes
  12. mcmc.delicious.recipes
  13. multi.translate.threeinone
  14. pro.infi.translator
  15. rapid.snap.translate
  16. smart.language.translate
  17. sundaclouded.best.translate
  18. biscuitent.imgdownloader
  19. biscuitent.instant.translate
  20. com.besttranslate.biscuit
  21. com.michimocho.video.downloader
  22. mcmc.ebook.reader
  23. swift.jungle.translate
  24. com.mcmccalculator.free
  25. com.tapsmore.challenge
  26. com.yummily.healthy.recipes
  27. com.hexamaster.anim
  28. com.twmedia.downloader
  29. bis.wego.translate
  30. com.arplanner.sketchplan
  31. com.arsketch.quickplan
  32. com.livetranslate.best
  33. com.lulquid.calculatepro
  34. com.smart.tools.pro
  35. com.titanyan.igsaver
  36. hvt.ros.digiv.weather.radar
  37. md.titan.translator
  38. scanner.ar.measure 
  39. toolbox.artech.helpful
  40. toolkit.armeasure.translate

Source link