Google Play, the company’s official repository for Android apps, has once again been caught hosting fraudulent and potentially malicious apps, with the discovery of more than 56 apps—many of them for children—that were installed on almost 1.7 million devices.

Tekya is a family of malware that generates fraudulent clicks on ads and banners delivered by agencies including Google’s AdMob, AppLovin’, Facebook, and Unity. To give the clicks the air of authenticity, the well-obfuscated code causes infected devices to use Android’s “MotionEvent” mechanism to imitate legitimate user actions. At the time that researchers from security firm Check Point discovered them, the apps went undetected by VirusTotal and Google Play Protect. Twenty-four of the apps that contained Tekya were marketed to children. Google removed all 56 of the apps after Check Point reported them.

The discovery “highlights once again that the Google Play Store can still host malicious apps,” Check Point researchers Israel Wernik, Danil Golubenko, and Aviran Hazum wrote in a post published on Tuesday. “There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily–making it difficult to check that every single app is safe. Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected.”

Going native

To make the malicious behavior harder to detect, the apps were written in native Android code—typically in the C and C++ programming languages. Android apps usually use Java to implement logic. The interface of that language provides developers with the ease of accessing multiple layers of abstraction. Native code, by contrast, is implemented in a much lower level. While Java can easily be decompiled—a process that converts binaries back into human-readable source code—it’s much harder to do this with native code.

Once installed, the Tekya apps register a broadcast receiver that carries out multiple actions, including:

BOOT_COMPLETED to allow code running at device startup (“cold” startup)

USER_PRESENT in order to detect when the user is actively using the device

QUICKBOOT_POWERON to allow code running after device restart

The sole purpose of the receiver is to load the native library ‘libtekya.so’ in the libraries folder inside the .apk file of each app. The Check Point post provides much more technical detail on how the code works. Google representatives confirmed the apps have been removed from Play.

But wait . . . there's more

Separately, antivirus provider Dr.Web on Tuesday reported the discovery of an undisclosed number of Google Play apps, downloaded more than 700,000 times, that contained malware dubbed as Android.Circle.1. The malware used code based on the BeanShell scripting language and combined both adware and click-fraud functions. The malware, which had 18 modifications, could be used to perform phishing attacks.

The Dr.Web post didn’t name all of the apps that contained Android.Circle.1. The handful of apps identified were Wallpaper Black—Dark Background, Horoscope 2020—Zodiac Horoscope, Sweet Meet, Cartoon Camera, and Bubble Shooter. Google removed all of the apps Dr.Web reported. The 56 apps discovered by Check Point, meanwhile, are in Tuesday's Check Point post, which again is located here.

Android devices often uninstall apps after they’re found to be malicious, but the mechanism doesn’t always work as intended. Readers may want to check their devices to see if they have been infected. As always, readers should be highly selective in the apps they install. No doubt, Google scans detect a large percentage of malicious apps submitted to Play, but a significant number of users continue to get infected with malware that goes that bypass those checks.