Google Play Store Played Again – Tekya Clicker Hides in 24 Children’s Games and 32 Utility Apps
March 24, 2020
Research by Israel Wernik, Danil Golubenko , Aviran Hazum
Although Google has taken steps to secure its Play store and stop malicious activity, hackers are still finding ways to infiltrate the app store and access users’ devices. Millions of mobile phone users have unintentionally downloaded malicious apps that have the ability to compromise their data, credentials, emails, text messages, and geographical location. For example, in February 2020, the Haken malware family was installed in over 50,000 Android devices by eight different malicious apps, all of which initially appeared to be safe.
Recently, Check Point’s researchers identified a new malware family that was operating in 56 applications and downloaded almost 1 million times worldwide. With the goal of committing mobile ad fraud, the malware – dubbed ‘Tekya’ – imitates the user’s actions in order to click ads and banners from agencies like Google’s AdMob, AppLovin’, Facebook, and Unity.
Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on).
Overview
The Tekya malware obfuscates native code to avoid detection by Google Play Protect and utilizes the ‘MotionEvent’ mechanism in Android (introduced in 2019) to imitate the user’s actions and generate clicks.
During this research, the Tekya malware family went undetected by VirusTotal and Google Play Protect. Ultimately, it was available for download in 56 applications downloadable on Google Play.
This campaign cloned legitimate popular applications to gain an audience, mostly with children, as most application covers for the Tekya malware are children’s games. The good news is, these infected applications have all been removed from Google Play.
However, this highlights once again that the Google Play Store can still host malicious apps. There are nearly 3 million apps available from the store, with hundreds of new apps being uploaded daily – making it difficult to check that every single app is safe. Thus, users cannot rely on Google Play’s security measures alone to ensure their devices are protected.
The full list of infected apps is listed below.
Figure 1 – Google Play pages for some of the ‘Tekya’ applications
Technical Analysis
Upon installation of this application from Google Play, a receiver is registered (‘us.pyumo.TekyaReceiver’) for multiple actions:
- ‘BOOT_COMPLETED’ to allow code running at device startup (“cold” startup)
- ‘USER_PRESENT’ in order to detect when the user is actively using the device
- ‘QUICKBOOT_POWERON’ to allow code running after device restart
Figure 2 – TekyaReceiver registration
This receiver has one purpose — to load the native library ‘libtekya.so’ in the ‘libraries’ folder inside the .apk file.
Figure 3 – TekyaReceiver’s code
Inside the constructor for the ‘Tekya’ library, a list of “Validator” objects (that don’t validate anything) is created.
Figure 4 – Part of the ‘Tekya’ constructor
Inside each “Validator”, another method called runs an internal function from the native library ‘libtekya.so’.
In the case of the ‘AdmobValidator’, the function calls the ‘c’ function, which then runs the ‘z’ function, which in turn calls the ‘zzdtxq’ function from the native library.
Figure 5 – AdmobValidator’s overridden function and calling internal native function
Inside the ‘libtekya.so’ native library, this function, which is called from the “Validator”s, is responsible for multiple actions:
- calling ‘ffnrsv’ function – which is responsible for parsing the configuration file
- calling the ‘getWindow’ and ‘getDecorView’ to get the needed handles
- calling a sub-function, ‘sub_AB2C’ with the results of the functions above
Figure 6 – Tekya’s ‘zzdtxq’s native code
Lastly, the sub-function ‘sub_AB2C’ creates and dispatches touch events, imitating a click via the ‘MotionEvent’ mechanism
Figure 7 – VirusTotal output for ‘Tekya’ applications
How to protect yourself?
If you suspect you may have one of these infected apps on your device, here’s what you should do:
- Uninstall the infected application from the device
- Install a security solution to prevent future infections
- Update your device Operation System and Applications to the latest version
Furthermore, enterprises need to ensure their employees corporate devices can be secured against sophisticated mobile cyberattacks like Tekya or Haken (or any other malware) with SandBlast Mobile. To protect personal devices against attacks, Check Point offers ZoneAlarm Mobile Security.
Appendix 1 – IOC’s
| Package_name | Removed by Google/Developer | Gp Installs | Developer | C&C | sha256 |
| caracal.raceinspace.astronaut | 100000 | Caracal Entertainment | http://api.lulquid.xyz | f1d32c17a169574369088a87f2df9e56df2abeeeda0b7f4c826da5f4f69d11e4 | |
| com.caracal.cooking | 100000 | Caracal Entertainment | http://api.namekitchen9.xyz/api/subscription | 46e41ef7673e34ef72fb3a971859aed5baaea8ea4a193fc6e74fc9fcbe033d67 | |
| com.leo.letmego | 100000 | Leopardus Studio | http://api.leopardus.xyz/api/subscription | b21cb5ebfb692a2db1c5cbbc20e00d90a4e04ca1c2c3f7b25cb0bbc13b43f5eb | |
| com.caculator.biscuitent | 50000 | Biscuit Ent | http://api.lulquid.xyz | 734418efafd312e9b3e96adaac6f86cc1a4565f69baf831945788399bc9d1c5f | |
| com.pantanal.aquawar | 50000 | Pantanal Entertainment | http://api.pantanal.xyz | 8fec77c47421222cc754b32c60794e54409a55ac5a002b300b5b35c4718fd0b0 | |
| com.pantanal.dressup | 50000 | Pantanal Entertainment | http://api.pantanal.xyz | 64e2c905bcef400e861469e114bf4eaf2b00b11c4d002f902b8d02c4074efb22 | |
| inferno.me.translator | 50000 | World TravelX | http://api.molatecta.icu | ebe3546208fd32d3f6a9e5daf21a724089febb1f61978bfd51f0edb520ae4348 | |
| translate.travel.map | 50000 | Lynx StudioX | http://api.nhudomainuong.xyz | f805e128b9d686170f51b1add35e45ea939d166b5ada4b6e900511518655f243 | |
| travel.withu.translate | 50000 | World TravelX | http://api.molatecta.icu | b7670b5d9a6643a54b800b4cb344f43b7826b2504cab949a96dd42e8c3fc5bc5 | |
| allday.a24h.translate | Developer | 10000 | Royal Chow Studio | http://api.royalchowstudio.xyz | 29f2fd6ccf0f632e45dd1f15ec72985cfab56b0b4a07cb0b11b6011d1f7ebe32 |
| banz.stickman.runner.parkour | 10000 | Biaz Inc | http://api.lulquid.xyz/api/subscription | e1027b6681e93d9763f19ea7e5ab2522362ebc27e29863e11822ca1e3b203fae | |
| best.translate.tool | 10000 | Megapelagios | http://api.megapelagios.site | 043e15b8b9799723649141f60f68cfad8d2d4fabc0a348d0087118c7b5047020 | |
| com.banzinc.littiefarm | 10000 | Biaz Inc | http://api.banzinc.xyz | 5fab614ff6510b20a9579de940b88810d0c6fec220e202feef221d7d5c7aba3e | |
| com.bestcalculate.multifunction | 10000 | Titanyan Entertainment | http://api.lulquid.xyz | 7b2670f7c8550aafcfbdb279446648073a9d099499c863a1380518b8edab435f | |
| com.folding.blocks.origami.mandala | 10000 | Slardar Studio | http://app.slardar.icu/api/subscription | 2d6df88bd0ad7d442b731e5755df55be2febb0d57118b9b01edeabd5c5db4439 | |
| com.goldencat.hillracing | Developer | 10000 | Golden Cat | 94e256a3ce62564e1e61b612375c6be4d90c99849edcadfe05bf13863a1029e3 | |
| com.hexa.puzzle.hexadom | 10000 | MajorStudioX | http://api.chauxincaidomainnua.icu | 3eeae3f56011aa7b858d38fc7f60a580d3b90bdfe194a7d6ad67bea1680002c2 | |
| com.ichinyan.fashion | 10000 | Titanyan Entertainment | f4b3143ec3091bc07cfb443efb6b076becad719438aeaf58cf1da65136aab74a | ||
| com.maijor.cookingstar | 10000 | MajorStudioX | 57260286c49599a9b65851888b8f30ffe497c1f013bc6d760943789cbceb16fe | ||
| com.major.zombie | 10000 | MajorStudioX | ffb5d8d7e8bc16c8664fb67a680e3aa2b7f4dae4f50e7bce9352edd51ff3e4fc | ||
| com.mimochicho.fastdownloader | 10000 | MochiMicho | 41d8d9c910511a914b584f4a40cd12042abc69a83b8d70e92f66c870e6b34c45 | ||
| com.nyanrev.carstiny | 10000 | Titanyan Entertainment | |||
| com.pantanal.stickman.warrior | 10000 | Pantanal Entertainment | http://api.pantanal.xyz/api/subscription | 45527951a533674be836f9efbc40ba207b6abac36bd05b065af79e4f2aa696cd | |
| com.pdfreader.biscuit | 10000 | Biscuit Ent | 215ff546710b96c69130cfef9b4d719a9866ceffd3c9cc2ba113e731a23309a6 | ||
| com.splashio.mvm | 10000 | Biscuit Ent | 74d7a572aa84b5deeed7fedf9eb1873a4bb38c4acd7a9c93992b61b07dcc7cdd | ||
| com.yeyey.translate | 10000 | World TravelX | 967f136cb2824e8c49b3bde8e910ac7a93a64339a3e2a060a15fb745b1211487 | ||
| leo.unblockcar.puzzle | 10000 | Biaz Inc | 9ee67b541335b88b6649afe184ba75cac084e20bbc465d998bac05cc85d59cff | ||
| mcmc.delicious.recipes | 10000 | MochiMicho | 6de03bf38e462fc9205e2a7cb49b7ed48d52bf84ec4f3aebdd84e31374832042 | ||
| mcmc.delicious.recipes | 10000 | MochiMicho | f33f5d7fd3909380582d821394c59dc78aa06113932143662d69733542ad571b | ||
| multi.translate.threeinone | 10000 | White Whale Studio | 72f924b6c597a5eb68e4c35843ad6b3ffa7b71396abb2a4c8dafd39b9832a4c4 | ||
| pro.infi.translator | 10000 | World TravelX | 5d1ec6427f7f6fe49ac95687257818ef0a0890159cc14a9e866ddeabd1c2568b | ||
| rapid.snap.translate | Developer | 10000 | Royal Chow Studio | http://api.royalchowstudio.xyz | 0045e2dc65a236fa05b18cbef767715cca4720ec3d3c8fb522264b8339669527 |
| smart.language.translate | 10000 | Megapelagios | 44b99da080701c14dd833f9f6c8f2fbc260299448dd5db701fc5b9e625db2556 | ||
| sundaclouded.best.translate | 10000 | Sunda Clouded | 30c9278c4907cf8fd13cbfa4bdbd47db8cce594871e08867a1f4282833e31e48 | ||
| biaz.jewel.block.puzzle2019 | 5000 | Biaz Inc | 93ce6082a22a56ae98c6381572d25356b00f65256d71f188687bdae03cff0ab4 | ||
| biaz.magic.cuble.blast.puzzle | 5000 | Biaz Inc | c75c5720befc162671f270b12891799cd4d9fd6f8d6ac0d586ef4109db6a6417 | ||
| biscuitent.imgdownloader | 5000 | Biscuit Ent | 3c943adc94489cc6c75bd5b6354c0af0f75f9d5710379e8cda02370352570156 | ||
| biscuitent.instant.translate | 5000 | Biscuit Ent | ce0161ca7702713251e21497ab2105fa4bf07e4f58f4622b64c4cbf2d86dd2fb | ||
| com.besttranslate.biscuit | 5000 | Biscuit Ent | 0c3aa1e07366fe37a693bae4833ce713de6eab2874a480f054c8442589ba71e0 | ||
| com.inunyan.breaktower | 5000 | Titanyan Entertainment | a0ca0dfd9f0fc59b2f6f13ede6eb1585f5185431926beaae9d87d147fc7de445 | ||
| com.leo.spaceship | 5000 | Leopardus Studio | http://api.leopardus.xyz | 31f7d64db00a1c3e93f8fa09d623df385d3d5a096f5abc6d00900f643239f073 | |
| com.michimocho.video.downloader | 5000 | MochiMicho | 3aadee8c06edb4e3dddd4477943812dd08a922d50d2e4fa816a3a7a72db72768 | ||
| fortuneteller.tarotreading.horo | Developer | 5000 | Sunda Clouded | http://api.sundaclouded.host | 9475507507a46e377a05f2667b2551649d8ab9ccc4f8fa8c31abf1b34aaf0ea5 |
| ket.titan.block.flip | 5000 | Titanyan Entertainment | a6d7cb20d11557199ca8ceabff7c489743678c0851317f237f5e581dcb201782 | ||
| mcmc.ebook.reader | 5000 | MochiMicho | c18d820fef9f2e01c7e73e8576a931d74f6630554a95f04a3ef01ce5bcf6b816 | ||
| swift.jungle.translate | 5000 | White Whale Studio | http://api.whitewhalestudio.host | a78bb13218c7f528d62df3b71e2033ec618f933f0f046e6f332e8ef6bac4559f | |
| com.leopardus.happycooking | 1000 | Leopardus Studio | 027385e60d35229a2c4357484b55485058804f09369305fe6ad69f0b30ff3076 | ||
| com.mcmccalculator.free | 1000 | MochiMicho | 3f537802dc5275e50c8e41ac464431731d01726b59538649453518f0619ac7bc | ||
| com.tapsmore.challenge | 1000 | Biscuit Ent | 48135e74fe912dbaff83989ca85894826afcd98ea80dde61793d72c11073dddd | ||
| com.yummily.healthy.recipes | 1000 | MochiMicho | 5a9ddb23df77fc305ffb66d2bf6570a3f7789846f17541eb7dfea40899724018 | ||
| com.hexamaster.anim | 500 | Leopardus Studio | faad1e3ea694e15f8817387d3409c5cad871c5953e2ef57df0573719f4fe20ee | ||
| com.twmedia.downloader | 100 | MochiMicho | 5a87a8e648af47368c2cfd0fc2b4b75f04ddff76ab9266d2b3fa1ff928b31857 | ||
| com.caracal.burningman | 50 | Caracal Entertainment | bee86d3b154aed3ca7665ea5d7d6c2fc49e8454126e39b9887604cbb5f5a0474 | ||
| com.cuvier.amazingkitchen | 50 | MajorStudioX | a08253d1a857354c3f21238012b2e2db6036f64eff1d20978ff820f985afdb84 | ||
| bis.wego.translate | 0 | 3767f7dd5cadf7b725dbbbf70a0e9ae61addf59a17a3c6ea91399461a4f8e702 | |||
| com.arplanner.sketchplan | 0 | http://api.maygaiproduct.icu/api/subscription | 81947007337ed148665ae7ec6af26db36a9d9694fbdf8a4f41255dc0052a6b38 | ||
| com.arsketch.quickplan | 0 | http://waws-prod-dm1-033.cloudapp.net/api/subscription | 38edf2876f545329fd0694af182e431afb49fabc08439162567743b35daa02f2 | ||
| com.livetranslate.best | 0 | MochiMicho | 54361b941969577d83491a4f4b01cffb65399fa5c427575e7b45681cbf260997 | ||
| com.lulquid.calculatepro | 0 | 1c5ea6523bca5c85febde29f49e92fdbfbadd80078ef42d1e1efa800a008e072 | |||
| com.smart.tools.pro | 0 | 6fcfd045ca7dda7bb98eb912d554bb0bebcb0ebfacb5f26cbf09d6e9aa4bfb33 | |||
| com.titanyan.igsaver | 0 | 34b6a6fcf84883a2f3ec52531cdd1b84e21b41b7d146169fa04f07ca179095f3 | |||
| hvt.ros.digiv.weather.radar | 0 | http://api.mantaalfredi.icu | 22e4e534279ffa86ad5d543c71b4a678700758d0f8958c6dd1529807fd24c84a | ||
| md.titan.translator | 0 | fea92e6b30899b1d2733bb28758635edbf3916e1b8acd6b8b163d19bb33f4141 | |||
| scanner.ar.measure | 0 | http://api.felinae.icu | 1f864b9251eeff470529364fd48ad7d3e8a6a520f2088f6552aefcf53f4dfacd | ||
| toolbox.artech.helpful | 0 | http://api.kaluga.xyz/api/subscription | 2ff57056dd17b8a43d46f342a440d3f04eb59f27074a39f6e47f3d70c03393ff | ||
| toolkit.armeasure.translate | 0 | http://api.somniosus.xyz | 3eb62e52f0b361d60436bec366cfad64e180d9a4acb5f573476c32b11e1ee541 |
POPULAR POSTS
- Artificial Intelligence
- ChatGPT
- Check Point Research Publications
- Check Point Research Publications
- Threat Research
- Artificial Intelligence
- ChatGPT
- Check Point Research Publications
BLOGS AND PUBLICATIONS
- Check Point Research Publications
- Global Cyber Attack Reports
- Threat Research
February 17, 2020
“The Turkish Rat” Evolved Adwind in a Massive Ongoing Phishing Campaign
- Check Point Research Publications
August 11, 2017
“The Next WannaCry” Vulnerability is Here
- Check Point Research Publications
January 11, 2018