Google has struggled for years to prevent malicious apps from sneaking into the Play Store, but a new round of takedowns highlights the challenge of managing the problem. In early March, Google removed 56 apps that looked benign but were tainted with adware. They had been downloaded more than a million times before.
While more than half of the apps claimed to be benign utilities like calculators, translation tools, or kitchen apps [common adware smugglers] 24 were specifically targeted at children. These eye-catching offerings, like puzzles and racing games, are a particularly pernicious way for attackers to sneak malware into more victim devices. Researchers at security firm Check Point revealed findings about the apps for Google as part of an ongoing investigation into how hackers hide and distribute malware on Google Play. And they're releasing details about the adware today.
"Since parents tend to hand over their devices to their children for play, luring children to install malicious apps is a prominent attack vector for reaching adult devices," says Aviran Hazum, mobile research manager. at Check Point. "Most children don't have the understanding to examine applications."
Adware has been a long-standing mobile threat, but attackers have become particularly aggressive about spreading it in recent months. Threat detection firm Malwarebytes discovered in an annual study that adware "reigned" in 2019 as the most common threat on Android, Mac and Windows PC devices. Earlier this month, antivirus firm Avast released findings that adware specifically accounted for 72 percent of all Android malware between October and December last year. And beyond Android, each platform seems to be struggling to reduce risk for users. Microsoft announced in late February, for example, that its Edge browser would start to specifically search for and block adware downloads by default.
The adware in the tainted applications was specifically designed to undermine Android's "MotionEvent" mechanism. Application developers use this to recognize movements such as taps and multi-finger gestures and gather information about them, such as their coordinates on the screen in two and three dimensional space. MotionEvent helps applications interpret these user inputs as responding accordingly. The adware, which Check Point calls Tekya, was manipulating these inputs to simulate users by tapping ads.
The researchers observed that Tekya created false clicks to generate revenue from ad networks such as Facebook, Unity, AppLovin & # 39; and Google AdMob. Adware manipulates the ad ecosystem to make money for hackers by making it appear that an army of users has seen and interacted with the ads. Many of the 56 infected apps that Check Point identified were not just benign-looking utilities, but actually clones of legitimate apps meant to confuse users and increase the chance that they would accidentally download the malicious version, like a fake Stickman game. , and versions of Hexa Puzzle and Jewel Block Puzzle. The group also included a malicious PDF reader and a Burning Man-themed app.
Tekya hides its abusive functionality in a fundamental layer of applications. Known as "native code", this part of software packages is notoriously difficult to examine for malicious components.
Google confirmed to WIRED that it removed the apps earlier this month. The company has worked diligently to curb the entry of malicious apps into Google Play, carrying out large-scale coordinated killings and developing expanded detection tools to catch more lemons during the Play Store investigation process. The company has even requested outside help in the war against malicious applications.
However, with over 3 million apps on Google Play and hundreds of new submissions every day, it is still a challenge for Google to spot everything. However, as long as it is relatively easy for scammers to create and spread malicious applications, they will keep coming.
More cool WIRED stories