Check Point, a cybersecurity firm, recently reported a previously undetected malware that was present in a total of 56 applications on Play Store, 24 of them were focused on children. The malware, dubbed Tekya, imitates user actions to serve ads from networks such as Google’s AdMob, AppLovin’, Facebook, and Unity.
The code takes advantage of Android’s MotionEvent actions that report user movement events. As a result, it can generate clicks that cannot be differentiated from the movement of a pen or finger across the screen.
According to Check Point, the code is embedded in the application’s native code, which is why it could easily bypass Play Store’s security protocols. Even though the applications were removed after Check Point notified Google, they were collectively downloaded over a million times.
Manager of Mobile Research at Check Point, Aviran Hazum, took this event to explain how Google’s efforts to remove malicious apps are in vain. He said:
To us, the amount of applications targeted and the sheer number of downloads that the actor successfully infiltrated into Google Play is staggering. Combine that with a relatively simple infection methodology, it all sums up to the learning that Google Play Store can still host malicious apps. It is difficult to check if every single application is safe on the Play Store, so users cannot rely on Google Play’s security measures alone to ensure their devices are protected.
In its February Blog post, Google detailed that it removed over 790,000 suspicious apps before they were updated to Play Store. Nevertheless, the platform often fails to detect malware-laden apps.