It’s safe to say that 2020 has caused a lot of disruption to businesses around the world, thanks to the Coronavirus. However, it’s been largely business as usual for those in the malware and click fraud industry. A major click fraud malware threat uncovered in 2020 is Tekya – a hidden ad fraud clicker from the Haken malware family found in Android mobile apps.

As we’ve seen on this very blog, this type of malware is increasingly common and poses an ongoing threat to anyone operating pay per click ad campaigns.

Name:Tekya
Status:Likely active
Summary:Ad fraud malware found mostly in Android games and utility apps

What is Tekya?

Tekya malware was discovered in February 2020 by Check Point Research, hiding in 56 apps that were downloaded over a million times. Most of these apps were games and puzzles aimed at children, although many of them were utilities apps such as calculators, cooking apps and translators. 

Tekya malware was found in many childrens games
Tekya malware was found in 24 childrens Android games

The apps themselves seemed innocent enough, with no malware code allowing them to bypass Google’s checks. However, the malware portion of the code was activated after the apps were downloaded, with the library updating after download.

Once activated, Tekya uses Google’s own ‘MotionEvent’ mechanism to hide it’s automated activity. This is the inbuilt code in Android that registers interactions with the device such as touches, pinching, swiping and other user gestures. 

The malware then clicks on ads within the affected apps to collect a payout for the threat actors. This is thought to be the developers of Tekya, also referred to as Haken, rather than the app developers, as this malware had been found in numerous apps by different developers. 

One way this malware code is distributed is by including a few lines of code in a software development kit (SDK). These SDK’s are widely used by app developers around the world, and the few lines of offending code are easy to miss. 

Who did Tekya affect?

As Tekya/Haken was built for ad fraud, those most affected would be advertisers using in-app ad platforms. These included Google’s own AdMob, AppLovin, Facebook and Unity. 

Users of devices would have been unaffected by the activity of the malware, although no-one wants their devices to be used as part of a malware network. The worst that may have happened for device users is that they may have noticed high power usage on some apps. 

Tekya was initially found in 56 apps, including:

  • Race in Space (game – downloaded 100,000+ times)
  • Let me Go (game – downloaded 100,000+ times)
  • Cooking Delicious (game – downloaded 100,000+ times)
  • Scientific Calculator (utility app – downloaded 50,000+ times)
  • ITranslator (utility app – downloaded 50,000+ times)
  • Nightmare Parkour (game – downloaded 10,000+ times)
  • Photo & Video Downloader (utility app – downloaded 10,000+ times)

After initially being removed from the Google Play Store, the Tekya/Haken malware was found again in June 2020. It’s thought that it is still active as of December 2020.

For those marketers using the above mentioned ad platforms to promote their business, they would have seen inflated clicks on their ads but few additional conversions.

This shows the current trend for malware targeting mobile apps, and the fact that it is relatively easy for determined fraudsters to profit from ad fraud. Anyone paying for online advertising needs to be aware that there are many click fraud malware operations out there, many of which we know nothing about.

Avoiding fraud on your paid ads

Pay per click ads are one of the best ways to promote your business. But there is no getting away from the fact that this is an attractive target for fraud. In fact, even during the Coronavirus pandemic we’ve seen PPC fraud remaining quite static across many industries. Such is the challenge that click fraud is thought to have cost advertisers over $35 billion in 2020 alone.

We might not know what malware or bot threats are out there right now or in the future, but we can use proactive methods to prevent them clicking on our PPC campaigns. 

If you’re currently running pay per click ads on Google or Bing, there is a simple way to check how much fraud there is on your account. Just sign up for the free ClickCease trial and find out how many fake clicks (aka invalid clicks) there are on your paid links.

-Updated December 2020