Thursday, December 5, 2024
HomeAndroidTekya Clicker Malware Hides in 56 Apps that Downloaded 1 Million Times...

Tekya Clicker Malware Hides in 56 Apps that Downloaded 1 Million Times Worldwide From Google Play

Published on

SIEM as a Service

Google implements a number of ways to filter the malicious apps getting into the play store, but still, attackers continue to find ways to infiltrate the app store and infect user devices.

Security researchers from Check Point identified 56 malicious apps in play store that aimed to commit mobile fraud with new malware families dubbed ‘Tekya’.

Tekya Malware Play Store

The malware aims to steal user data such as credentials, emails, text messages, and geographical location.

- Advertisement - SIEM as a Service

The Tekya malware founded to be hidden with 56 apps that were downloaded more than 1 million times worldwide. Out of 56 apps, 24 of the infected apps targeting apps used by kids such as puzzles to racing games.

Researchers found that “Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android to imitate the user’s actions and generate clicks”.

MotionEvent is a mechanism in an Android device that used to report movements such as a mouse, pen, finger, trackball events.

With this campaign, attackers cloned the legitimate versions of the app and host fake versions with malware embedded.

Once this malware gets installed in the device, a receiver gets registered and multiple actions performed in the device.

The receiver “us.pyumo.TekyaReceiver” get’s registered to perform the following actions

BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
USER_PRESENT’ in order to detect when the user is actively using the device
QUICKBOOT_POWERON’ to allow code running after device restart

The main goal of the malware is to click on the ads banner from agencies such as Google’s AdMob, AppLovin, Facebook, and Unity.

Here you can find the full list of the infected apps

Package_nameGp Installs
caracal.raceinspace.astronaut100000
com.caracal.cooking100000
com.leo.letmego100000
com.caculator.biscuitent50000
com.pantanal.aquawar50000
com.pantanal.dressup50000
inferno.me.translator50000
translate.travel.map50000
travel.withu.translate50000
allday.a24h.translate10000
banz.stickman.runner.parkour10000
best.translate.tool10000
com.banzinc.littiefarm10000
com.bestcalculate.multifunction10000
com.folding.blocks.origami.mandala10000
com.goldencat.hillracing10000
com.hexa.puzzle.hexadom10000
com.ichinyan.fashion10000
com.maijor.cookingstar10000
com.major.zombie10000
com.mimochicho.fastdownloader10000
com.nyanrev.carstiny10000
com.pantanal.stickman.warrior10000
com.pdfreader.biscuit10000
com.splashio.mvm10000
com.yeyey.translate10000
leo.unblockcar.puzzle10000
mcmc.delicious.recipes10000
mcmc.delicious.recipes10000
multi.translate.threeinone10000
pro.infi.translator10000
rapid.snap.translate10000
smart.language.translate10000
sundaclouded.best.translate10000
biaz.jewel.block.puzzle20195000
biaz.magic.cuble.blast.puzzle5000
biscuitent.imgdownloader5000
biscuitent.instant.translate5000
com.besttranslate.biscuit5000
com.inunyan.breaktower5000
com.leo.spaceship5000
com.michimocho.video.downloader5000
fortuneteller.tarotreading.horo5000
ket.titan.block.flip5000
mcmc.ebook.reader5000
swift.jungle.translate5000
com.leopardus.happycooking1000
com.mcmccalculator.free1000
com.tapsmore.challenge1000
com.yummily.healthy.recipes1000
com.hexamaster.anim500
com.twmedia.downloader100
com.caracal.burningman50
com.cuvier.amazingkitchen50
bis.wego.translate0
com.arplanner.sketchplan0
com.arsketch.quickplan0
com.livetranslate.best0
com.lulquid.calculatepro0
com.smart.tools.pro0
com.titanyan.igsaver0
hvt.ros.digiv.weather.radar0
md.titan.translator0
scanner.ar.measure0
toolbox.artech.helpful0
toolkit.armeasure.translate0

This shows that attackers still finding ways to bypass the Google Play Store and infiltrate with malicious apps.

Before installing apps users are recommended to check the background of the application and its developer company reputation.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

HCL DevOps Deploy / Launch Vulnerability Let Embed arbitrary HTML tags

Recently identified by security researchers, a new vulnerability in HCL DevOps Deploy and HCL...

CISA Warns of Zyxel Firewalls, CyberPanel, North Grid, & ProjectSend Flaws Exploited in Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about several vulnerabilities being...

HackSynth : Autonomous Pentesting Framework For Simulating Cyberattacks

HackSynth is an autonomous penetration testing agent that leverages Large Language Models (LLMs) to...

Fuji Electric Indonesia Hit by Ransomware Attack

Fuji Electric Indonesia has fallen victim to a ransomware attack, impacting its operations and...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Deloitte UK Hacked – Brain Cipher Group Claim to Have Stolen 1 TB of Data

Brain Cipher has claimed to have breached Deloitte UK and exfiltrated over 1 terabyte...

Shut Down Phishing Attacks -Detection & Prevention Checklist

In today's interconnected world, where digital communication and transactions dominate, phishing attacks have become...

Why the MITRE ATT&CK Evaluation Is Essential for Security Leaders

In today’s dynamic threat landscape, security leaders are under constant pressure to make informed...