Avast has discovered rogue TikTok accounts promoting adware scam apps on iOS and Android. To compound matters, these are apps that have been approved in both vendors app stores. It raises, again, questions over the claims from both vendors when they use security as part of their “value-add” to justify the fees they charge.
There have been more than 2.4 million downloads of the various apps involved, according to SensorTower. None of the apps has a good rating. It also estimates that those behind the apps have pocketed around US$500,000. If accurate, that would mean the two platforms the apps are downloaded from have made at least $150,000.
Jakub Vávra, threat analyst at Avast, said: “We thank the young girl who reported the TikTok profile to us, her awareness and responsible action is the kind of commitment we should all show to make the cyberworld a safer place.
“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed. It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them.”
What did Avast find?
When Avast investigated the app being promoted, it uncovered a web of deceit that included multiple suspicious accounts and dodgy apps. The apps range from games to wallpaper and music downloaders. They are priced cheaply, between $2 and $10, and are designed to appeal to anyone. Avast also believes that the apps on both iOS and Android come from the same person or group. This means that this is an orchestrated campaign.
The apps contain what is called a HiddenAds trojan. This type of malware not only floods the user with ads but is also capable of stealing user data and tracking them online. The latter allows the scammer to tune the apps they send to make it more likely the user will click on them.
When looking at the TikTok accounts, Avast discovered three TikTok profiles were pushing the apps. Linked to these accounts was an Instagram profile. Across all the accounts, there were more than 360k followers. Avast has reported the accounts to both TikTok and Instagram.
The TikTok accounts are 7odestar, Dejavuuu.es3 and Marina90lazina (Tik Tok). The Instagram account is Shockmyfriends.app. As of now, the apps are no longer active on either platform, but that does not mean they won’t reappear under other names.
What are the games and apps involved?
Avast has named the apps it discovered. The Android apps are:
ThemeZone – Shawky App Free – Shock My Friends from Moteleb Inc.
Tap Roulette ++Shock my Friend from Go Best
Ulimate Music Downloader – Free Download Music from Go Best.
The iOS apps are:
Shock My Friends – Satuna from Abdelsatar Abdalmotaleb
666 Time from Abdelsatar Abdalmotaleb
ThemeZone – Live Wallpapers from Abdelsatar Abdalmotaleb
More details on each app, including its rating, earnings and behaviour are available in the Avast press release. The press release also shows which accounts were promoting which app.
Enterprise Times: What does this mean?
It’s all too easy to dismiss these apps as being a consumer, not a business issue. The problem with that attitude is that companies are increasingly expecting users to Bring Your Own Device (BYOD). As these apps have come from official app stores, the devices have not been jailbroken. That means that any cursory check by IT would allow them on a corporate network.
The threat to the organisation starts with the tracking of the user and the theft of user information. Users connecting to their work network will use their business credentials. There is nothing to stop the scammers harvesting that information through the apps installed on the device.
This also shows that despite the work and claims from both Apple and Google, malicious apps are still able to get through the vetting process. The apps all appear to have been deleted from the app stores. That doesn’t, however, mean they have been removed from all devices. It leaves the users and potentially their employers at ongoing risk from data harvesting and other malware.
The fact that this was only discovered by a child who had the foresight to report it through the Be Safe Online app is pure good fortune.