Original link: https://research.checkpoint.com/2020/google-play-store-played-again-tekya-clicker-hides-in-24-childrens-games-and-32-utility-apps/
Research by Israel Wernik, Danil Golubenko , Aviran Hazum
Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices. Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location. For example, in February 2020, the Haken malware family was installed in over 50,000 Android devices by eight different malicious apps, all of which initially appeared to be safe.
Recently, Check Point’s researchers identified a new malware family that was operating in 56 applications and downloaded almost 1 million times worldwide. With the goal of committing mobile ad fraud, the malware – dubbed ‘Tekya’ – imitates the user’s actions in order to click ads and banners from agencies like Google’s AdMob, AppLovin’, Facebook, and Unity.
Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on).
Overview
The Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android (introduced in 2019) to imitate the user’s actions and generate clicks.
During this research, the Tekya malware family went undetected by VirusTotal and Google Play Protect. Ultimately, it was available for download in 56 applications downloadable on Google Play.
This campaign cloned legitimate popular applications to gain an audience, mostly with children, as most application covers for the Tekya malware are children’s games. The good news is, these infected applications have all been removed from Google Play.
However, this highlights once again that the Google Play Store can still host malicious apps. There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily – making it difficult to check that every single app is safe. Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected.
The full list of infected apps is listed below.
Figure 1 – Google Play pages for some of the ‘Tekya’ applications
Technical Analysis
Upon installation of this application from Google Play, a receiver is registered (‘us.pyumo.TekyaReceiver’) for multiple actions:
‘BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
‘USER_PRESENT’ in order to detect when the user is actively using the device
‘QUICKBOOT_POWERON’ to allow code running after device restart
Figure 2 – TekyaReceiver registration
This receiver has one purpose — to load the native library ‘libtekya.so’ in the ‘libraries’ folder inside the .apk file.
Figure 3 – TekyaReceiver’s code
Inside the constructor for the ‘Tekya’ library, a list of “Validator” objects (that don’t validate anything) is created.
Figure 4 – Part of the ‘Tekya’ constructor
Inside each “Validator”, another method called runs an internal function from the native library ‘libtekya.so’.
In the case of the ‘AdmobValidator’, the function calls the ‘c’ function, which then runs the ‘z’ function, which in turn calls the ‘zzdtxq’ function from the native library.
Figure 5 – AdmobValidator’s overridden function and calling internal native function
Inside the ‘libtekya.so’ native library, this function, which is called from the “Validator”s, is responsible for multiple actions:
calling ‘ffnrsv’ function – which is responsible for parsing the configuration file
calling the ‘getWindow’ and ‘getDecorView’ to get the needed handles
calling a sub-function, ‘sub_AB2C’ with the results of the functions above
Figure 6 – Tekya’s ‘zzdtxq’s native code
Lastly, the sub-function ‘sub_AB2C’ creates and dispatches touch events, imitating a click via the ‘MotionEvent’ mechanism
If you suspect you may have one of these infected apps on your device, here’s what you should do:
Uninstall the infected application from the device
Install a security solution to prevent future infections
Update your device Operation System and Applications to the latest version
Furthermore, enterprises need to ensure their employees corporate devices can be secured against sophisticated mobile cyberattacks like Tekya or Haken (or any other malware) with SandBlast Mobile. To protect personal devices against attacks, Check Point offers ZoneAlarm Mobile Security.