Tekya Clicker Malware

Google implements a number of ways to filter the malicious apps getting into the play store, but still, attackers continue to find ways to infiltrate the app store and infect user devices.

Security researchers from Check Point identified 56 malicious apps in play store that aimed to commit mobile fraud with new malware families dubbed ‘Tekya’.

Tekya Malware Play Store

The malware aims to steal user data such as credentials, emails, text messages, and geographical location.

The Tekya malware founded to be hidden with 56 apps that were downloaded more than 1 million times worldwide. Out of 56 apps, 24 of the infected apps targeting apps used by kids such as puzzles to racing games.

Researchers found that “Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android to imitate the user’s actions and generate clicks”.

MotionEvent is a mechanism in an Android device that used to report movements such as a mouse, pen, finger, trackball events.

With this campaign, attackers cloned the legitimate versions of the app and host fake versions with malware embedded.

Once this malware gets installed in the device, a receiver gets registered and multiple actions performed in the device.

The receiver “us.pyumo.TekyaReceiver” get’s registered to perform the following actions

BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
USER_PRESENT’ in order to detect when the user is actively using the device
QUICKBOOT_POWERON’ to allow code running after device restart

The main goal of the malware is to click on the ads banner from agencies such as Google’s AdMob, AppLovin, Facebook, and Unity.

Here you can find the full list of the infected apps

Package_nameGp Installs
caracal.raceinspace.astronaut100000
com.caracal.cooking100000
com.leo.letmego100000
com.caculator.biscuitent50000
com.pantanal.aquawar50000
com.pantanal.dressup50000
inferno.me.translator50000
translate.travel.map50000
travel.withu.translate50000
allday.a24h.translate10000
banz.stickman.runner.parkour10000
best.translate.tool10000
com.banzinc.littiefarm10000
com.bestcalculate.multifunction10000
com.folding.blocks.origami.mandala10000
com.goldencat.hillracing10000
com.hexa.puzzle.hexadom10000
com.ichinyan.fashion10000
com.maijor.cookingstar10000
com.major.zombie10000
com.mimochicho.fastdownloader10000
com.nyanrev.carstiny10000
com.pantanal.stickman.warrior10000
com.pdfreader.biscuit10000
com.splashio.mvm10000
com.yeyey.translate10000
leo.unblockcar.puzzle10000
mcmc.delicious.recipes10000
mcmc.delicious.recipes10000
multi.translate.threeinone10000
pro.infi.translator10000
rapid.snap.translate10000
smart.language.translate10000
sundaclouded.best.translate10000
biaz.jewel.block.puzzle20195000
biaz.magic.cuble.blast.puzzle5000
biscuitent.imgdownloader5000
biscuitent.instant.translate5000
com.besttranslate.biscuit5000
com.inunyan.breaktower5000
com.leo.spaceship5000
com.michimocho.video.downloader5000
fortuneteller.tarotreading.horo5000
ket.titan.block.flip5000
mcmc.ebook.reader5000
swift.jungle.translate5000
com.leopardus.happycooking1000
com.mcmccalculator.free1000
com.tapsmore.challenge1000
com.yummily.healthy.recipes1000
com.hexamaster.anim500
com.twmedia.downloader100
com.caracal.burningman50
com.cuvier.amazingkitchen50
bis.wego.translate0
com.arplanner.sketchplan0
com.arsketch.quickplan0
com.livetranslate.best0
com.lulquid.calculatepro0
com.smart.tools.pro0
com.titanyan.igsaver0
hvt.ros.digiv.weather.radar0
md.titan.translator0
scanner.ar.measure0
toolbox.artech.helpful0
toolkit.armeasure.translate0

This shows that attackers still finding ways to bypass the Google Play Store and infiltrate with malicious apps.

Before installing apps users are recommended to check the background of the application and its developer company reputation.

Leave a Reply