ra2 studio - stock.adobe.com

Tekya auto-clicker malware exploits kids’ Android apps

Google has removed multiple apps for children that were found to contain Tekya auto-clicker malware

Over 50 Android applications, 26 of them targeted at children, with over a million downloads between them, have been removed from the Google Play Store, after security researchers at Check Point found them to contain an auto-clicker malware dubbed Tekya.

Tekya generates money for cyber criminals by committing mobile ad fraud by pretending to be a user clicking on legitimate ads and banners sourced from legitimate online ad agencies, including Google’s AdMbo, AppLovin’, Facebook and Unity. It does this by exploiting Android’s MotionEvent input movement (i.e. touch) reporting mechanism to imitate a human user clicking on an ad.

The malware was able to avoid detection and infiltrate the Google Play Store by obfuscating its malicious intentions in native code configured to run only on Android processors – this means that Google’s security system, Google Play Protect, was unable to spot it, and nor was Google’s VirusTotal service.

The cloned, infected apps uncovered by Check Point ranged from puzzles to racing games, as well as utility applications such as cookery apps, calculators and translators.

“To us, the amount of applications targeted and the sheer number of downloads that the actor successfully infiltrated into Google Play is staggering,” said Aviran Hazum, Check Point’s manager of mobile research.

“Combine that with a relatively simple infection methodology, it all sums up to the learning that Google Play Store can still host malicious apps,” he said. “It is difficult to check if every single application is safe on the Play Store, so users cannot rely on Google Play’s security measures alone to ensure their devices are protected.”

The team who uncovered Tekya, which besides Hazum included threat researchers Danil Golubenko and Israel Wernik, disclosed their findings to Google, which removed the malicious apps in early March 2020.

Read more about security for Android

Nevertheless, with over a million collective downloads, a great many users will have been compromised. If you suspect you or your child has downloaded one of the infected apps – which are listed in full on the team’s disclosure blog – you should uninstall it from your device immediately, check that your security patches are completely up to date, and consider using a mobile security service to spot and prevent future infections.

With children across the UK now confined to their homes during the Covid-19 coronavirus crisis, leading to increased device usage across the board, parents should take additional steps to monitor and secure any devices being used by their children.

With schools left unable to bear any responsibility for educating children about online harms and malicious apps, security awareness and training organisation the Sans Institute has issued guidance on how to secure children’s activity online. The guidance – along with other advice on secure remote working – can be read and downloaded here.

With malicious apps still sneaking into the Google Play Store with alarming regularity, and almost three million apps now available, keeping on top of the threat is an impossible task for any one person to do.

As previous disclosures by Check Point have shown, Google’s own internal security protections are still repeatedly missing the mark, despite a number of recent improvements.

Check Point warned that “users cannot rely on Google Play’s security measures alone to ensure their devices are protected”.

Read more on Web application security