Saturday, May 18, 2024

Tekya Clicker Malware Hides in 56 Apps that Downloaded 1 Million Times Worldwide From Google Play

Google implements a number of ways to filter the malicious apps getting into the play store, but still, attackers continue to find ways to infiltrate the app store and infect user devices.

Security researchers from Check Point identified 56 malicious apps in play store that aimed to commit mobile fraud with new malware families dubbed ‘Tekya’.

Tekya Malware Play Store

The malware aims to steal user data such as credentials, emails, text messages, and geographical location.

The Tekya malware founded to be hidden with 56 apps that were downloaded more than 1 million times worldwide. Out of 56 apps, 24 of the infected apps targeting apps used by kids such as puzzles to racing games.

Researchers found that “Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android to imitate the user’s actions and generate clicks”.

MotionEvent is a mechanism in an Android device that used to report movements such as a mouse, pen, finger, trackball events.

With this campaign, attackers cloned the legitimate versions of the app and host fake versions with malware embedded.

Once this malware gets installed in the device, a receiver gets registered and multiple actions performed in the device.

The receiver “us.pyumo.TekyaReceiver” get’s registered to perform the following actions

BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
USER_PRESENT’ in order to detect when the user is actively using the device
QUICKBOOT_POWERON’ to allow code running after device restart

The main goal of the malware is to click on the ads banner from agencies such as Google’s AdMob, AppLovin, Facebook, and Unity.

Here you can find the full list of the infected apps

Package_nameGp Installs
caracal.raceinspace.astronaut100000
com.caracal.cooking100000
com.leo.letmego100000
com.caculator.biscuitent50000
com.pantanal.aquawar50000
com.pantanal.dressup50000
inferno.me.translator50000
translate.travel.map50000
travel.withu.translate50000
allday.a24h.translate10000
banz.stickman.runner.parkour10000
best.translate.tool10000
com.banzinc.littiefarm10000
com.bestcalculate.multifunction10000
com.folding.blocks.origami.mandala10000
com.goldencat.hillracing10000
com.hexa.puzzle.hexadom10000
com.ichinyan.fashion10000
com.maijor.cookingstar10000
com.major.zombie10000
com.mimochicho.fastdownloader10000
com.nyanrev.carstiny10000
com.pantanal.stickman.warrior10000
com.pdfreader.biscuit10000
com.splashio.mvm10000
com.yeyey.translate10000
leo.unblockcar.puzzle10000
mcmc.delicious.recipes10000
mcmc.delicious.recipes10000
multi.translate.threeinone10000
pro.infi.translator10000
rapid.snap.translate10000
smart.language.translate10000
sundaclouded.best.translate10000
biaz.jewel.block.puzzle20195000
biaz.magic.cuble.blast.puzzle5000
biscuitent.imgdownloader5000
biscuitent.instant.translate5000
com.besttranslate.biscuit5000
com.inunyan.breaktower5000
com.leo.spaceship5000
com.michimocho.video.downloader5000
fortuneteller.tarotreading.horo5000
ket.titan.block.flip5000
mcmc.ebook.reader5000
swift.jungle.translate5000
com.leopardus.happycooking1000
com.mcmccalculator.free1000
com.tapsmore.challenge1000
com.yummily.healthy.recipes1000
com.hexamaster.anim500
com.twmedia.downloader100
com.caracal.burningman50
com.cuvier.amazingkitchen50
bis.wego.translate0
com.arplanner.sketchplan0
com.arsketch.quickplan0
com.livetranslate.best0
com.lulquid.calculatepro0
com.smart.tools.pro0
com.titanyan.igsaver0
hvt.ros.digiv.weather.radar0
md.titan.translator0
scanner.ar.measure0
toolbox.artech.helpful0
toolkit.armeasure.translate0

This shows that attackers still finding ways to bypass the Google Play Store and infiltrate with malicious apps.

Before installing apps users are recommended to check the background of the application and its developer company reputation.

Website

Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles