Tekya is a family of malware that generates fraudulent clicks on ads and banners delivered by agencies including Google’s AdMob, AppLovin’, Facebook, and Unity. To give the clicks the air of authenticity, the well-obfuscated code causes infected devices to use Android’s “MotionEvent” mechanism to imitate legitimate user actions. At the time that researchers from security firm Check Point discovered them, the apps went undetected by VirusTotal and Google Play Protect. Twenty-four of the apps that contained Tekya were marketed to children. Google removed all 56 of the apps after Check Point reported them.Additionally, security researchers from Dr.Web discovered an undisclosed number of Google Play apps with Android.Circle.1 malware. These apps were downloaded over 700,000 times. All reported apps have been removed by Google. If things work as intended, this process also involves the installation of malicious apps on user devices.
Google Play hosted malicious apps that got installed by 1.7 million users
Posted on Wednesday, March 25 2020 @ 11:13 CET by Thomas De Maesschalck