By Ford Qin (Mobile Threats Analyst)
In late March, researchers from CheckPoint found the Tekya malware family, which was being used to carry out ad fraud, on Google Play. These apps have since been removed from the store, but we recently found a variant of this family that had made its way onto Google Play via five malicious apps, although these have also been removed. (We detect these as AndroidOS_Tekya.HRX.)
Figures 1 and 2. Apps with Tekya malware (Click to enlarge)
Connections between two versions
This variant of Tekya shares many similarities with the previously found version. For example, the encryption remains essentially identical. The same algorithms and keys are used in both versions.
Figure 3. Encryption code from previous Tekya version
Figure 4. Encryption code from this Tekya version
How this Tekya variant works
The malware registered a receiver that responds to the actions “com.tenjin.RECEIVE” or “android.intent.action.BOOT_COMPLETED”. The latter action gives the malware the ability to wake after the device boots:
The functionality of the receiver is implemented in libtenjin.so. Once called, it would then call a method which hides itself in a common package — specifically, com/google/android/gms/internal/ads/.
Figure 6. ..
Support the originator by clicking the read the rest link below.