Around 50 Android apps designed for kids in the Google Play Store were found to be using a new trick to secretly click on ads without the knowledge of the users. These apps were downloaded by more than 1 million times.
The malware which has been dubbed as “Tekya,” imitated users’ actions to click ads from advertising networks such as Google’s AdMob, AppLovin’, Facebook, and Unity.
The fraud has been revealed by the cybersecurity firm Check Point Research and they stated that twenty-four of the infected apps were targeted at children and the remaining were utility apps like cooking apps, calculators, translators etc.
All the apps in question were removed from Google Play.
The malware campaign copied legitimate apps to get an audience and the newly discovered 56 apps were found bypassing Google Play Store protections by confusing its native code and relying on Android’s MotionEvent API to simulate user clicks.
Once an unwitting user installed one of the malicious apps, the Tekya malware registers a receiver, an Android component that’s invoked when a certain system or application event occurs — such as a device restart or when the user is actively using the phone.
The receiver on detecting these events, then proceeded to load a native library named “libtekya.so” that includes a sub-function called “sub_AB2C,” which creates and dispatches touch events, thereby mimicking a click via the MotionEvent API.
Mobile ad fraud is exhibited in various ways, including threat actors planting malware-laced ads on user phones or embedding malware in apps and online services to generate clicks fraudulently to receive payouts by advertising networks.
According to an analysis by the mobile security vendor Upstream’s in 2019, it was found that the favorite apps for hiding ad-fraud malware are those that claim to improve productivity or improve device functionality. Other apps that attackers frequently used to hide malware are the gaming apps, entertainment, and shopping apps.
Google has been trying to stop rogue Android apps from infiltrating the Google Play Store. They have made use of the Google Play Protect as a means to screen potentially harmful applications and also built an “App Defense Alliance” together with cybersecurity firms ESET, Lookout and Zimperium to reduce the risk of app-based malware.
In order to protect yourself from such threats, it is highly recommended that you download the apps only from the Play Store and avoid sideloading from other sources. It is very much important to study the reviews, developer details, and the list of permissions required before installing any app.