Every day there are new threats associated with online fraud, and they are becoming increasingly difficult to recognize despite very advanced security algorithms. According to Check Point, more than 50,000 devices running on Android were infected with Haken malware in February this year. Haken used 8 different, seemingly secure applications. Less than 4 months later we are dealing with a new fraud called Tekya, with a much wider range of activity.
What is Tekya and how was it detected?
Check Point Research is a research team analyzing cyberattacks data stored on ThreatCloud to stop fraudsters and at the same time provide their clients with the latest possible security. Reports and publications made available by Check Point Research reveal new cyber threats and help provide protection. This was the case here - researchers working on the Check Point Research project have discovered a new family of malware called Tekya. It has infected 56 applications and has been downloaded almost a million times worldwide.
How did Tekya get into the application?
Applications came from many different developers, which leads to the theory that the programs themselves weren’t a threat at first. Malware code was probably added to them and activated only after downloading the application, which allowed it to bypass the protective algorithms (during tests Tekya wasn't detected by VirusTotal and Google Play Protect).
Tekya malware was hidden in just a few lines of code in a programming package (SDK), commonly used by application developers around the world, so it could be easily overlooked. In addition, Tekya obfuscated the native code, which also helped to avoid detection.
How does Tekya work?
After installing the infected application, a receiver is registered on the device. It has only one goal - to load library ("libtekya.so") into the "libraries" folder in the .apk file. This allows the malware to run in the background when the user undertakes activities and log his interactions with the device, such as touch, pinching, dragging, and other user gestures. Then special software functions create and trigger touch events, imitating click - so Tekya uses Google's own MotionEvent mechanism (introduced in Android in 2019) to hide that the action itself is performed automatically. As a result, this malware can click on in-app ads and get money for it from unsuspecting advertisers. Simply put, Tekya copies users' actions by pretending to click on the ads.
In what applications did Tekya hide?
Tekya malware was found in 56 Android applications that could be downloaded from Google Play. A significant part of them were games and puzzles directed at children (24 games for children), several games for adults and various utility applications such as calculators and translation applications.
The most known applications infected by Tekya are:
Race in Space (downloaded over 100,000 times)
Let me Go (downloaded over 100,000 times)
Cooking Delicious (downloaded over 100,000 times)
Aqua War (downloaded over 50,000 times)
Dress Up (downloaded over 50,000 times)
Scientific Calculator (downloaded over 50,000 times)
ITranslator (downloaded over 50,000 times)
Transvel (downloaded over 50,000 times)
uTrans (downloaded over 50,000 times)
Of course, all infected applications have been removed from Google Play.
What were the consequences of Tekya's?
The Tekya scam is another online fraud involving the generation of artificial clicks, as a result of which the advertisers using advertising platforms in applications such as Google AdMob, AppLovin, Facebook and Unity were the most injured. They probably had to pay for clicks obtained as a result of Tekya, and this certainly didn't translate into more conversions and sales.
When it comes to users of infected devices, malware activity shouldn't have a big impact on them (except that their equipment was used in deception and that someone was copying their activities), although they may have noticed higher energy consumption in some applications.
Tekya is another proof that fraudsters can relatively easily earn profits from advertising fraud, especially with billing models where the advertiser pay for a click or view of an ad. Every company that uses the internet for marketing purposes must be aware of the fact that there are many online scams related to clicks and new ones are constantly emerging - hundreds of new applications get to Google Play every day, which makes it impossible to check whether each of them is secure. To ensure that your company is protected, entrepreneurs should invest in more professional protection, such as the one we offer at TrafficWatchdog.