Thursday, May 1, 2025
HomeAndroidTekya Clicker Malware Hides in 56 Apps that Downloaded 1 Million Times...

Tekya Clicker Malware Hides in 56 Apps that Downloaded 1 Million Times Worldwide From Google Play

Published on

SIEM as a Service

Follow Us on Google News

Google implements a number of ways to filter the malicious apps getting into the play store, but still, attackers continue to find ways to infiltrate the app store and infect user devices.

Security researchers from Check Point identified 56 malicious apps in play store that aimed to commit mobile fraud with new malware families dubbed ‘Tekya’.

Tekya Malware Play Store

The malware aims to steal user data such as credentials, emails, text messages, and geographical location.

- Advertisement - Google News

The Tekya malware founded to be hidden with 56 apps that were downloaded more than 1 million times worldwide. Out of 56 apps, 24 of the infected apps targeting apps used by kids such as puzzles to racing games.

Researchers found that “Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android to imitate the user’s actions and generate clicks”.

MotionEvent is a mechanism in an Android device that used to report movements such as a mouse, pen, finger, trackball events.

With this campaign, attackers cloned the legitimate versions of the app and host fake versions with malware embedded.

Once this malware gets installed in the device, a receiver gets registered and multiple actions performed in the device.

The receiver “us.pyumo.TekyaReceiver” get’s registered to perform the following actions

BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
USER_PRESENT’ in order to detect when the user is actively using the device
QUICKBOOT_POWERON’ to allow code running after device restart

The main goal of the malware is to click on the ads banner from agencies such as Google’s AdMob, AppLovin, Facebook, and Unity.

Here you can find the full list of the infected apps

Package_nameGp Installs
caracal.raceinspace.astronaut100000
com.caracal.cooking100000
com.leo.letmego100000
com.caculator.biscuitent50000
com.pantanal.aquawar50000
com.pantanal.dressup50000
inferno.me.translator50000
translate.travel.map50000
travel.withu.translate50000
allday.a24h.translate10000
banz.stickman.runner.parkour10000
best.translate.tool10000
com.banzinc.littiefarm10000
com.bestcalculate.multifunction10000
com.folding.blocks.origami.mandala10000
com.goldencat.hillracing10000
com.hexa.puzzle.hexadom10000
com.ichinyan.fashion10000
com.maijor.cookingstar10000
com.major.zombie10000
com.mimochicho.fastdownloader10000
com.nyanrev.carstiny10000
com.pantanal.stickman.warrior10000
com.pdfreader.biscuit10000
com.splashio.mvm10000
com.yeyey.translate10000
leo.unblockcar.puzzle10000
mcmc.delicious.recipes10000
mcmc.delicious.recipes10000
multi.translate.threeinone10000
pro.infi.translator10000
rapid.snap.translate10000
smart.language.translate10000
sundaclouded.best.translate10000
biaz.jewel.block.puzzle20195000
biaz.magic.cuble.blast.puzzle5000
biscuitent.imgdownloader5000
biscuitent.instant.translate5000
com.besttranslate.biscuit5000
com.inunyan.breaktower5000
com.leo.spaceship5000
com.michimocho.video.downloader5000
fortuneteller.tarotreading.horo5000
ket.titan.block.flip5000
mcmc.ebook.reader5000
swift.jungle.translate5000
com.leopardus.happycooking1000
com.mcmccalculator.free1000
com.tapsmore.challenge1000
com.yummily.healthy.recipes1000
com.hexamaster.anim500
com.twmedia.downloader100
com.caracal.burningman50
com.cuvier.amazingkitchen50
bis.wego.translate0
com.arplanner.sketchplan0
com.arsketch.quickplan0
com.livetranslate.best0
com.lulquid.calculatepro0
com.smart.tools.pro0
com.titanyan.igsaver0
hvt.ros.digiv.weather.radar0
md.titan.translator0
scanner.ar.measure0
toolbox.artech.helpful0
toolkit.armeasure.translate0

This shows that attackers still finding ways to bypass the Google Play Store and infiltrate with malicious apps.

Before installing apps users are recommended to check the background of the application and its developer company reputation.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Apache ActiveMQ Vulnerability Lets Remote Hackers Execute Arbitrary Code

A high vulnerability in Apache ActiveMQ’s .NET Message Service (NMS) library has been uncovered,...

Commvault Confirms Zero-Day Attack Breached Its Azure Cloud Environment

Commvault, a global leader in data protection and information management, has confirmed that a...

FBI Uncovers 42,000 Phishing Domains Tied to LabHost PhaaS Operation

The Federal Bureau of Investigation (FBI) has revealed the existence of 42,000 phishing domains...

Tor Browser 14.5.1 Released with Enhanced Security and New Features

The Tor Project has announced the official release of Tor Browser 14.5.1, introducing a...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

AiTM Phishing Kits Bypass MFA by Hijacking Credentials and Session Tokens

Darktrace's Security Operations Center (SOC) in late 2024 and early 2025, cybercriminals have been...

Nitrogen Ransomware Uses Cobalt Strike and Log Wiping in Targeted Attacks on Organizations

Threat actors have leveraged the Nitrogen ransomware campaign to target organizations through deceptive malvertising...

Researchers Reveal Threat Actor TTP Patterns and DNS Abuse in Investment Scams

Cybersecurity researchers have uncovered the intricate tactics, techniques, and procedures (TTPs) employed by threat...