Google Play Store Played Again – Tekya Clicker Hides in 24 Children’s Games and 32 Utility Apps

Research by Israel Wernik , Danil Golubenko , Aviran Hazum

Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices. Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location. For example, in February 2020, the Haken malware family was installed in over 50,000 Android devices by eight different malicious apps, all of which initially appeared to be safe.

Recently, Check Point’s researchers identified a new malware family that was operating in 56 applications and downloaded almost 1 million times worldwide. With the goal of committing mobile ad fraud, the malware – dubbed ‘Tekya’ – imitates the user’s actions in order to click ads and banners from agencies like Google’s AdMob, AppLovin’, Facebook, and Unity.

Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on).

Overview



The Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android (introduced in 2019) to imitate the user’s actions and generate clicks.

During this research, the Tekya malware family went undetected by VirusTotal and Google Play Protect. Ultimately, it was available for download in 56 applications downloadable on Google Play.

This campaign cloned legitimate popular applications to gain an audience, mostly with children, as most application covers for the Tekya malware are children’s games. The good news is, these infected applications have all been removed from Google Play.

However, this highlights once again that the Google Play Store can still host malicious apps. There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily – making it difficult to check that every single app is safe. Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected.

The full list of infected apps is listed below.

Figure 1 – Google Play pages for some of the ‘Tekya’ applications

Technical Analysis

Upon installation of this application from Google Play, a receiver is registered (‘us.pyumo.TekyaReceiver’) for multiple actions:

‘BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)

‘USER_PRESENT’ in order to detect when the user is actively using the device

‘QUICKBOOT_POWERON’ to allow code running after device restart

Figure 2 – TekyaReceiver registration

This receiver has one purpose — to load the native library ‘libtekya.so’ in the ‘libraries’ folder inside the .apk file.

Figure 3 – TekyaReceiver’s code

Inside the constructor for the ‘Tekya’ library, a list of “Validator” objects (that don’t validate anything) is created.

Figure 4 – Part of the ‘Tekya’ constructor

Inside each “Validator”, another method called runs an internal function from the native library ‘libtekya.so’.

In the case of the ‘AdmobValidator’, the function calls the ‘c’ function, which then runs the ‘z’ function, which in turn calls the ‘zzdtxq’ function from the native library.

Figure 5 – AdmobValidator’s overridden function and calling internal native function

Inside the ‘libtekya.so’ native library, this function, which is called from the “Validator”s, is responsible for multiple actions:

calling ‘ffnrsv’ function – which is responsible for parsing the configuration file

calling the ‘getWindow’ and ‘getDecorView’ to get the needed handles

calling a sub-function, ‘sub_AB2C’ with the results of the functions above

Figure 6 – Tekya’s ‘zzdtxq’s native code

Lastly, the sub-function ‘sub_AB2C’ creates and dispatches touch events, imitating a click via the ‘MotionEvent’ mechanism



Figure 7 – VirusTotal output for ‘Tekya’ applications

How to protect yourself?

If you suspect you may have one of these infected apps on your device, here’s what you should do:

Uninstall the infected application from the device

Install a security solution to prevent future infections

Update your device Operation System and Applications to the latest version

Furthermore, enterprises need to ensure their employees corporate devices can be secured against sophisticated mobile cyberattacks like Tekya or Haken (or any other malware) with SandBlast Mobile. To protect personal devices against attacks, Check Point offers ZoneAlarm Mobile Security.

Appendix 1 – IOC’s