New spyware called TikTok Pro mimics the genuine TikTok app, and its spread is being fueled by fears of a TikTok ban. Researchers provide recommendations on how to mitigate becoming a victim of TikTok Pro.
TikTok Ban Fuels Spyware Campaign
Researchers at ZScaler have discovered a new spyware campaign that is being fueled by the ban of TikTok in India. Chinese owned TikTok was banned in India last month, along with many other Chinese apps, over a political dispute.
Also fueling the campaign is the threat of a TikTok ban in the US. The US has threatened to ban TikTok because the app purportedly poses a threat to US national security. In addition, TikTok has been accused of privacy violations. Consequently, US President Donald Trump issued an executive order forcing TikTok’s parent company ByteDance to sell its US operations to a US company or face a ban. Following the executive order, several large US companies put in a bid for the purchase of TikTok. In retaliation, TikTok filed a lawsuit against the US president’s executive order.
When popular apps like TikTok are banned or are no longer available on official app stores, users try to find alternative means for downloading such apps. “In doing so, users can mistakenly install malicious apps, such as the spyware mentioned in this blog,” ZScaler researcher Shivang Desai explained in his report.
TikTok Pro Spyware
TikTok Pro, which mimics the popular Chinese app TikTok, is a fully fledged spyware app. This piece of malware includes premium features that allows cybercriminals to spy on victims with ease. ZScaler researchers found that TikTok Pro was developed using a framework similar to that used in Spynote and Spymax. This led the researchers to infer that TikTok Pro could be an updated version of these Trojan builders. Such Trojan builders allow even attackers with limited technical knowledge to develop fully fledged spyware.
Once installed and opened, TikTok Pro launches a fake notification that then disappears along with the app’s icon. This tactic could possibly be used in order to make the victim believe that the app did not install. TikTok Pro is then able to steal and send SMS messages, can capture photos and screenshots, and determine a victim’s location. It can also execute commands, make phone calls, initiate other apps and steal a victim’s Facebook credentials. The spyware app accomplishes this via commands sent to it remotely by the attacker.
To steal a victim’s Facebook credentials, TikTok Pro deploys phishing tactics. As in phishing campaigns, TikTok Pro launches a fake Facebook login page that stores the victim’s credentials as they login. Furthermore, Desai noted this tactic could easily be extended to steal other personal data, such as bank account credentials. Stealing Facebook credentials is something previously unseen amongst Trojan builders such as Spynote and Spymax.
Other TikTok Based Campaigns
TikTok Pro is not the first fake TikTok app to appear. An earlier TikTok mimicking malware app was spread via WhatsApp and text messages. This previous campaign asked users to upgrade to the latest version of TikTok and instead downloaded the fake TikTok app. This app collected credentials and asked for Android permissions resulting in the user being bombarded with advertisements. The permissions requested included camera and phone permissions.
The ZScaler report recommends that users adhere to the following precautions whenever installing an app:
- Only install apps from official app stores, such as Google Play
- Never click on unknown links received through advertisements, SMS messages, emails, or the like
- Always keep the “Unknown Sources” option disabled on Android devices. This stops the installation of apps from unknown sources onto your device.
ZScaler researchers also recommend that users always try to find apps on their Android devices that are hiding their icons. This can be done by going to Settings -> Apps -> Search for icon that was hidden. To check if TikTok Pro is installed on a device search for the name TikTok Pro.
As iPhones do not support the installation of third-party apps from outside the App Store, iPhone users are not vulnerable to this attack campaign.