Sunday, May 18, 2025
HomeAndroidTekya Clicker Malware Hides in 56 Apps that Downloaded 1 Million Times...

Tekya Clicker Malware Hides in 56 Apps that Downloaded 1 Million Times Worldwide From Google Play

Published on

SIEM as a Service

Follow Us on Google News

Google implements a number of ways to filter the malicious apps getting into the play store, but still, attackers continue to find ways to infiltrate the app store and infect user devices.

Security researchers from Check Point identified 56 malicious apps in play store that aimed to commit mobile fraud with new malware families dubbed ‘Tekya’.

Tekya Malware Play Store

The malware aims to steal user data such as credentials, emails, text messages, and geographical location.

- Advertisement - Google News

The Tekya malware founded to be hidden with 56 apps that were downloaded more than 1 million times worldwide. Out of 56 apps, 24 of the infected apps targeting apps used by kids such as puzzles to racing games.

Researchers found that “Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android to imitate the user’s actions and generate clicks”.

MotionEvent is a mechanism in an Android device that used to report movements such as a mouse, pen, finger, trackball events.

With this campaign, attackers cloned the legitimate versions of the app and host fake versions with malware embedded.

Once this malware gets installed in the device, a receiver gets registered and multiple actions performed in the device.

The receiver “us.pyumo.TekyaReceiver” get’s registered to perform the following actions

BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
USER_PRESENT’ in order to detect when the user is actively using the device
QUICKBOOT_POWERON’ to allow code running after device restart

The main goal of the malware is to click on the ads banner from agencies such as Google’s AdMob, AppLovin, Facebook, and Unity.

Here you can find the full list of the infected apps

Package_nameGp Installs
caracal.raceinspace.astronaut100000
com.caracal.cooking100000
com.leo.letmego100000
com.caculator.biscuitent50000
com.pantanal.aquawar50000
com.pantanal.dressup50000
inferno.me.translator50000
translate.travel.map50000
travel.withu.translate50000
allday.a24h.translate10000
banz.stickman.runner.parkour10000
best.translate.tool10000
com.banzinc.littiefarm10000
com.bestcalculate.multifunction10000
com.folding.blocks.origami.mandala10000
com.goldencat.hillracing10000
com.hexa.puzzle.hexadom10000
com.ichinyan.fashion10000
com.maijor.cookingstar10000
com.major.zombie10000
com.mimochicho.fastdownloader10000
com.nyanrev.carstiny10000
com.pantanal.stickman.warrior10000
com.pdfreader.biscuit10000
com.splashio.mvm10000
com.yeyey.translate10000
leo.unblockcar.puzzle10000
mcmc.delicious.recipes10000
mcmc.delicious.recipes10000
multi.translate.threeinone10000
pro.infi.translator10000
rapid.snap.translate10000
smart.language.translate10000
sundaclouded.best.translate10000
biaz.jewel.block.puzzle20195000
biaz.magic.cuble.blast.puzzle5000
biscuitent.imgdownloader5000
biscuitent.instant.translate5000
com.besttranslate.biscuit5000
com.inunyan.breaktower5000
com.leo.spaceship5000
com.michimocho.video.downloader5000
fortuneteller.tarotreading.horo5000
ket.titan.block.flip5000
mcmc.ebook.reader5000
swift.jungle.translate5000
com.leopardus.happycooking1000
com.mcmccalculator.free1000
com.tapsmore.challenge1000
com.yummily.healthy.recipes1000
com.hexamaster.anim500
com.twmedia.downloader100
com.caracal.burningman50
com.cuvier.amazingkitchen50
bis.wego.translate0
com.arplanner.sketchplan0
com.arsketch.quickplan0
com.livetranslate.best0
com.lulquid.calculatepro0
com.smart.tools.pro0
com.titanyan.igsaver0
hvt.ros.digiv.weather.radar0
md.titan.translator0
scanner.ar.measure0
toolbox.artech.helpful0
toolkit.armeasure.translate0

This shows that attackers still finding ways to bypass the Google Play Store and infiltrate with malicious apps.

Before installing apps users are recommended to check the background of the application and its developer company reputation.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...

New Ransomware Attack Targets Elon Musk Supporters Using PowerShell to Deploy Payloads

A newly identified ransomware campaign has emerged, seemingly targeting supporters of Elon Musk through...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

VMware ESXi, Firefox, Red Hat Linux & SharePoint Hacked – Pwn2Own Day 2

Security researchers demonstrated their prowess on the second day of Pwn2Own Berlin 2025, discovering...

Critical WordPress Plugin Flaw Puts Over 10,000 Sites of Cyberattack

A serious security flaw affecting the Eventin plugin, a popular event management solution for...

Sophisticated NPM Attack Leverages Google Calendar2 for Advanced Communication

A startling discovery in the npm ecosystem has revealed a highly sophisticated malware campaign...