Google Play, the company's official Android app repository, was caught again hosting fraudulent and potentially malicious apps. More than 56 apps were discovered – many of them for children – that were installed on almost 1.7 million devices.
Tekya is a malware family that generates fraudulent clicks on ads and banners delivered by agencies like AdMob, AppLovin, Facebook and Unity from Google. To add authenticity to the clicks, the well-veiled code uses infected devices using Android's “MotionEvent” mechanism to mimic legitimate user actions. When researchers from the security firm Check Point discovered them, the apps from VirusTotal and Google Play Protect were not recognized. Twenty-four of the apps that included Tekya were marketed to children. Google removed all 56 apps after Check Point reported them.
The discovery "once again underlines that the Google Play Store can still host malicious apps," wrote Check Point researchers Israel Wernik, Danil Golubenko and Aviran Hazum in a post published on Tuesday. “Almost 3 million apps are available in the store. Hundreds of new apps are uploaded every day. This makes it difficult to check that every single app is safe. As a result, users cannot rely solely on Google Play security measures to ensure that their devices are protected. "
To make detection of malicious behavior more difficult, the apps were written in native Android code – usually in the programming languages C and C ++. Android apps typically use Java to implement logic. The language interface provides developers with easy access to multiple levels of abstraction. In contrast, native code is implemented at a much lower level. While Java can be easily decompiled – a process that converts binary files back into readable source code – it is much more difficult with native code.
After installation, the Tekya apps register a radio receiver that performs several actions, including:
- BOOT_COMPLETED so that code can be executed when the device starts ("cold" start)
- USER_PRESENT to recognize when the user is actively using the device
- QUICKBOOT_POWERON so that code can be executed after the device is restarted
The only purpose of the recipient is to load the native library "libtekya.so" into the library folder in the APK file of each app. The Check Point article contains much more technical details on how the code works. Representatives from Google confirmed that the apps were removed from Play.
But wait . . . there is more
Regardless, the anti-virus provider Dr.Web reported on Tuesday the discovery of an unknown number of Google Play apps that were downloaded more than 700,000 times and contained malware known as Android.Circle.1. The malware used code based on the BeanShell scripting language and combined both adware and click fraud functions. The malware with 18 modifications could be used to carry out phishing attacks.
Not all apps that included Android.Circle.1 were mentioned in the Dr.Web publication. The few apps identified were Wallpaper Black – Dark Background, Horoskop 2020 – Zodiac Horoscope, Sweet Meet, Cartoon Camera and Bubble Shooter. Google has removed all apps reported by Dr.Web. The 56 apps discovered by Check Point can now be found in Tuesday's Check Point post, which is here again.
Android devices often uninstall apps after they are classified as malicious. However, the mechanism does not always work as intended. Readers may want to check their devices to see if they have been infected. As always, readers should be very selective about the apps they install. Google scans undoubtedly recognize a large percentage of malicious apps sent to Play, but a significant number of users continue to be infected with malware that bypasses these scans.