The Google Play Store has found itself in yet another malicious app scandal. This time, researchers have found a new malware nesting in several apps available on the marketplace.
Researchers from cybersecurity firm Check Point revealed in a recent blog post that they conducted an extensive search across the Play Store that yielded the discovery of several malicious apps. The post explained that most of these apps targeted children, adding that they could have infected as many as 1.7 million Android devices globally.
Tekya: Native Android Code with Antivirus Evasion
According to Check Point, all these apps were infected with Tekya— a malware that successfully evades Google Play Protect and other security measures put in place in the Play Store. The malware was found on 32 utility apps and 24 children’s games. Once a Tekya-infested app is downloaded, it commits ads fraud by leveraging Android’s MotionEvent actions, which record users’ movement with a finger or stylus across their screen to generate fake clicks.
Check Point further explained that most of the apps were written in native Android code — especially C and C++ languages — as opposed to having the usual Java underlying code. With these languages, app manufacturers can launch their apps on the Play Store without the appropriate levels of scrutiny and effectively avoid detection when they publish.
Google Constantly Roped into Malicious App Scandals
Google has found itself mired in several malicious app scandals so far; it seems almost routine for the firm. Earlier this year, Check Point confirmed that they had found two malware types — Haken and Joker — on several apps across the Play Store.
Check Point’s researchers had revealed that the malware duo was evolving in response to Google’s security checks and policies.
Over the past few months, the Joker malware has appeared in a number of mobile apps on the Play Store. The Joker is a master at billing fraud. Once a Joker-infested app is installed, the user’s account would be used to pay for premium services without authorization. It does this through a combination of SMS receivers and custom HTML parsers.
As Check Point’s researchers explained, merely removing the malicious app won’t cancel the fraudulent subscription. Instead, the victim has to reach out to the service provider and ask for a cancellation.
As for Hacken, the malware mimics the user and generates clicks on ads. Check Point pointed out that the malware had infected eight apps on Play Store, with more than 50,000 downloads already.