Google Play Store distributed malicious ad-fraud apps designed for kids


Tekya malware was downloaded almost 1 million times

Android apps for kids involved in ad fraud

Android apps for kids involved in ad fraud

Check Point security researchers found that Android applications designed for kids distributed malware dubbed Tekya.[1] More than 50 apps on the Google Play Store were discovered using a new trick to mimic users clicks on ads.[2] This malware imitated users’ actions to click commercial content from advertising networks like Google’s AdMob, AppLovin’, Facebook, and Unity without the persons’ knowledge. Experts also revealed that these malicious apps were downloaded almost 1 million times, researchers[3] say:

Twenty four of the infected apps were aimed at children (ranging from puzzles to racing games), with the rest being utility apps (such as cooking apps, calculators, downloaders, translators, and so on).

These 56 applications included the software that leveraged devices to click on mobile advertisements, so the traffic on those ads and commercial sites is inflated artificially – this is how scammers get to make money from pay-per-click techniques.[4] Applications with titles like Let Me Go and Cooking Delicious attracted kids to download them onto tablets and other mobile devices running Android OS, so the Tekya malware is launched without causing any additional symptoms or asking for special permissions.

Clicker malware simulates users’ actions 

Tekya Clicker was hidden in 24 mobile games for children and 32 utility applications, so scammer campaigns could be launched and generate money for criminals. Malware clicked on ads from various sources and embedded cooking, calculator, translation, and similar tools. Even though all applications were removed from the Google Play Store, almost a million downloads were made. 

Once the user installed the malicious application, malware registered a receiver – an Android component that gets invoked when a certain app or system event occurs. It happens when the user is actively using the mobile device, for example, when it restarts. This receiver detects such event and proceeds to load a native library libtekya.so that involves s sub-function which creates and launches touch events. Malware mimics a click via MotionEevent API that was used since last year, and this precise technique that was abused by Tekya Clicker.

Mobile malware and fraudulent ad campaigns on the rise

Advertising campaigns target various devices and people; scammers manage to get their goals achieved by relying on different techniques. Threat actors can plant malware-laced commercial content on user phones and embed malware in apps or online services to generate views, clicks and receive payouts. 

Google tries to protect users from potentially harmful applications, but even partnerships with cybersecurity firms and constant moderation cannot keep users completely secure all the time. Therefore, staying vigilant and employing extra security measures (such as anti-malware for Android) is extremely important when it comes to safety, especially when it comes to kids.

Researchers constantly report on instances when malicious apps act out in the background or even deliver malware.[5] Malicious operators managed to pull out some of these applications from the Google Play Store once they were indicated, and others were removed by Google. If you have any installed, delete them and scan the phone or tablet using AV app to make sure no PUPs were placed on the system without your knowledge.