Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices.
Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location.
For example, in February 2020, the Haken malware family was installed in over 50 000 Android devices by eight different malicious apps, all of which initially appeared to be safe.
Recently, Check Point’s researchers identified a new malware family that was operating in 56 applications and downloaded almost 1-million times worldwide.
With the goal of committing mobile ad fraud, the malware – dubbed ‘Tekya’ – imitates the user’s actions in order to click ads and banners from agencies like Google’s AdMob, AppLovin’, Facebook, and Unity.
Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on).
“To us, the amount of applications targeted and the sheer number of downloads that the actor successfully infiltrated into Google Play is staggering,” says Aviran Hazum, manager of mobile research at Check Point.
“Combine that with a relatively simple infection methodology, it all sums up to the learning that Google Play Store can still host malicious apps. It is difficult to check if every single application is safe on the Play Store, so users cannot rely on Google Play’s security measures alone to ensure their devices are protected.”
The Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android (introduced in 2019) to imitate the user’s actions and generate clicks.
During this research, the Tekya malware family went undetected by VirusTotal and Google Play Protect. Ultimately, it was available for download in 56 applications downloadable on Google Play.
This campaign cloned legitimate popular applications to gain an audience, mostly with children, as most application covers for the Tekya malware are children’s games. The good news is, these infected applications have all been removed from Google Play.
How to protect yourself?
If you suspect you may have one of these infected apps on your device, here’s what you should do:
* Uninstall the infected application from the device;
* Install a security solution to prevent future infections; and
* Update your device Operation System and Applications to the latest version.
In addition, enterprises need to ensure their employees corporate devices can be secured against sophisticated mobile cyberattacks like Tekya or Haken (or any other malware).