March 30, 2020 By David Bisson 2 min read

Last week in security news, researchers found a new clicker malware called “Tekya” hidden within 24 children’s games on the Google Play store. Mobile users weren’t the only ones targeted by malicious software last week, however. Malware campaigns targeting vulnerable network-attached storage (NAS) devices, industrial environments and banking customers in Germany also came to light.

Top Story of the Week: Google Play Infiltrated by Tekya Clicker Malware

Researchers at Check Point noted that a new malware family called “Tekya” had made its way into 56 apps available for download on Google Play with a combined total of 1 million downloads worldwide. Over half (32) of those affected apps were utilities such as cooking programs, calculators, downloaders and translators. The remaining 24 apps were games designed for children.

Upon successful installation, Tekya set about to commit mobile ad fraud. It did this by imitating a user’s actions to click on ads and banners from Google’s AdMob, Facebook and other agencies.

Also in Security News

  • 2FA Bypass Incorporated by Trickbot Campaign Targeting German Users: Researchers at IBM X-Force observed attackers pushing an Android app called “TrickMo” in Germany. Delivered by the Trickbot Trojan, this program bypassed two-factor authentication (2FA) measures to steal German users’ banking credentials.
  • Milum Distributed in WildPressure Operation Targeting the Middle East: Kaspersky Lab detected a new advanced persistent threat (APT) operation called “WildPressure” spreading a fully functional Trojan written in C++. This malware, originally named “Milum46_Win32.exe,” stole information off of a victim’s device and exfiltrated it to its command-and-control (C&C) server.
  • Vulnerable NAS Devices Targeted by Mukashi Mirai Variant: Researchers at Palo Alto Networks spotted a new variant of Mirai called “Mukashi” leveraging brute-force attacks to target NAS products from Zyxel running firmware 5.21. Mukashi’s purpose behind those attacks was to compromise those devices, enlist them into a botnet and potentially conduct distributed denial-of-service (DDoS) attacks.
  • Oski Infostealer Seeded by New DNS Hijacking Campaign: According to Bitdefender, malicious actors set their sights on users’ home routers in order to change their DNS settings so that they could redirect users to a malicious website. The campaign leveraged payloads hosted via Bitbucket to spread samples of Oski malware.
  • Google Drive Used by Downloader to Spread Advanced Malware: The Zscaler ThreatLabZ team witnessed a spam campaign using various email templates to target people in various countries around the world. That campaign, in turn, distributed Win32.Downloader.EdLoader, a downloader that delivered its final malware payload via Google Drive.

Security Tip of the Week: Strengthen Your Organization’s Mobile Security

Security professionals can help organizations strengthen their mobile security posture by investing in capabilities that can analyze suspicious behavior on corporate mobile devices and correlate it with intelligence into how digital threats normally function. Solutions that use artificial intelligence (AI) and machine learning are a good place to start.

Additionally, infosec personnel should pursue mobile security best practices by implementing patches on a regular basis, restricting the sources from which mobile users can download apps and enforcing a robust password management strategy.

More from

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

What cybersecurity pros can learn from first responders

4 min read - Though they may initially seem very different, there are some compelling similarities between cybersecurity professionals and traditional first responders like police and EMTs. After all, in a world where a cyberattack on critical infrastructure could cause untold damage and harm, cyber responders must be ready for anything. But are they actually prepared? Compared to the readiness of traditional first responders, how do cybersecurity professionals in incident response stand up? Let’s dig deeper into whether the same sense of urgency exists…

Unified endpoint management for purpose-based devices

4 min read - As purpose-built devices become increasingly common, the challenges associated with their unique management and security needs are becoming clear. What are purpose-built devices? Most fall under the category of rugged IoT devices typically used outside of an office environment and which often run on a different operating system than typical office devices. Examples include ruggedized tablets and smartphones, handheld scanners and kiosks. Many different industries are utilizing purpose-built devices, including travel and transportation, retail, warehouse and distribution, manufacturing (including automotive)…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today