Fifty-six apps in Google’s Play store included malicious software that leveraged victims’ devices to click on mobile advertisements, artificially inflating the traffic to those ads and helping scammers make money.
Research published Tuesday by the security firm Check Point Technologies details how fraudsters used the network of apps, which were downloaded more than 1 million times, to exploit users’ trust and make a buck. Unlike so many other ad fraud efforts, this campaign was tailored toward children, with 24 of the 56 apps marketed towards kids. Entertainment apps and games with titles like “Cooking Delicious” and “Let Me Go,” a puzzle app, tempted kids into downloading, and then launched the malicious tool.
The apps included “Tekya,” a so-called clicker malware that clicked banners and other ads from a variety of sources. Along with kids’ apps, Tekya also came embedded in cooking, calculator, translation and other utility apps. Google removed all of the apps by early March, researchers said.
“To us, the amount of applications targeted and the sheer number of downloads that the actor successfully infiltrated is staggering,” Aviran Hazum, Check Point’s manager of mobile research, said in a statement.
It was only the latest example of scammers exploiting the Play store’s wide reach to take advantage of a large number of victims. Google has hired mobile security firms to keep malicious apps out, though developers continue to use a range of tactics to slip past security checkpoints. Attackers sometimes encrypt the malicious functionality in their apps, making it more difficult to detect, or activate ads that violate Play store policies on a time delay.
In this case, developers cloned legitimate apps that were already popular to quickly gain an audience.
These findings come one month after Check Point uncovered another eight apps that appeared to be designed for kids, but actually enrolled victims in premium services without their consent. Those apps came embedded with another kind of malware, called Hacken, that allowed attackers to steal user data.
The profits from advertising fraud have proven to be irresistible for mobile scammers. Attackers have deployed countless apps that, instead of doing what they claim, covertly leverage affected devices to boost ad revenue, enlist in paid subscription services or otherwise aim to make money. In one case that perhaps best personifies the trend, a gaming app with some 50,000 downloads broadcast invasive ads on a user’s phone while also trying to collect their Google credentials.