Google Play, the companys official repository for Android apps, has once again been caught hosting fraudulent and potentially malicious apps, with the discovery of more than 56 apps—many of them for children—that were installed on almost 1.7 million devices.
Tekya is a family of malware that generates fraudulent clicks on ads and banners delivered by agencies including Googles AdMob, AppLovin, Facebook, and Unity. To give the clicks the air of authenticity, the well-obfuscated code causes infected devices to use Androids “MotionEvent” mechanism to imitate legitimate user actions. At the time that researchers from security firm Check Point discovered them, the apps went undetected by VirusTotal and Google Play Protect. Twenty-four of the apps that contained Tekya were marketed to children. Google removed all 56 of the apps after Check Point reported them.
The discovery “highlights once again that the Google Play Store can still host malicious apps,” Check Point researchers Israel Wernik, Danil Golubenko, and Aviran Hazum wrote in a post published on Tuesday. “There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily–making it difficult to check that every single app is safe. Thus, users cannot rely on Google Plays security measures alone to ensure their devices are protected.”
To make the malicious behavior harder to detect, the apps were written in native Android code—typically in the C and C++ programming languages. Android apps usually use Java to implement logic. The interface of that language provides developers with the ease of accessing multiple layers of abstraction. Native code, by contrast, is implemented in a much lower level. While Java can easily be decompiled—a process that converts binaries back into human-readable source code—its much harder to do this with native code.
Once installed, the Tekya apps register a broadcast receiver that carries out multiple actions, including:
- BOOT_COMPLETED to allow code running at device startup (“cold” startup)
- USER_PRESENT in order to detect when the user is actively using the device
- QUICKBOOT_POWERON to allow code running after device restart
The sole purpose of the receiver is to load the native library libtekya.so in the libraries folder inside the .apk file of each app. The Check Point post provides much more technical detail on how the code works. Google representatives confirmed the apps have been removed from Play.
But wait . . . there's more
Separately, antivirus provider Dr.Web on Tuesday reported the discovery of an undisclosed number of Google Play apps, downloaded more than 700,000 times, that contained malware dubbed as Android.Circle.1. The malware used code baRead More – Source