24 of these infected apps were targetted at kids, while the rest were utility apps such as calculators and translators. Some of these even had stellar ratings.
The malware called 'Tekya' had the goal of generating ad revenue. It replicated the actions of users to click ads and banners from Google's AdMob, Facebook, AppLovin', and Unity. For imitating the action of users, the malware used the Android 'MotionEvent' mechanism.
To avoid being detected by Google Play Protect, the Tekya malware obfuscated native code.
If you are interested in the technicalities, when an infected app is downloaded, a receiver is registered for various actions. These include getting permission for running code, determining when a device is being used, and running the code after a device restarts.
The main purpose is to load the native library in the libraries' folder within the .apk file.
Then, different functions are made to create and dispatch touch events.
The scammers cloned already popular legitimate apps to attract downloads. And as Check Point notes, the amount of apps targetted and the number of downloads is staggering.
The affected apps are no longer on the Google Play store
The goods news is that the infected apps have been taken off Google Play. As you might have guessed, they were only removed after Check Point alerted the company to the problem. The store has around 3 million apps, with nearly hundreds of additions daily. It is evident that Google alone can not be relied upon for keeping devices safe.
The incident also shows that it is relatively easier for scammers to target kids.
As mentioned before, the reason that the malicious behavior remained undetected was that the apps were written in native Android code. Since this code is implemented at a lower level and is not easy to decompile, getting to the source code is an uphill task.
Check Point advises that if you had any of the infected apps on your device, you should uninstall them, and install a security solution so that this doesn't happen again. Moreover, it's also recommended that you update the Operation System and Applications to the newest version.
Other than that, it is also a good idea to only download trusted apps from Play Store. Before downloading the apps, read as many reviews as you can, go through the developer details, and also see which permissions the app is asking for before initiating a download. Moreover, you should not sideload from other sources.
After all, even though the Tekya-infested apps have been removed from Google Play, chances are that more suspicious apps will find their way to the store in the future. And as we have seen, cybercriminals keep coming with new ways to game the security systems of app stores.
Thus, users need to stay on their guard if they want to keep their devices free from different kinds of malware.