Malware can take over common device functions as well as creates a phishing page to steal Facebook credentials.
Researchers have found a new Android spyware campaign ‘marketing’ a “Pro” version of the TikTok app that is exploiting fears among its young & gullible users that the popular social media app is on the cusp of being banned in the US.
The malware can take over basic device functions, e.g. capturing photos, reading & sending SMS messages, making calls & launching apps, as well as uses a phishing method to steal victims’ Facebook credentials.
SMS & WhatsApp
The bad app, called TikTok Pro, is being promoted by threat players using a variant of a campaign already used, which asks users via SMS & WhatsApp messages to download the newest version of TikTok from a very specific web address, commented Zscaler Senior Security Researcher Shivang Desai, in a report published Tues.
The 1st wave of the campaign spread a fake app, containing malware dubbed “TikTok Pro,” which asked for credentials & Android permissions, including camera & phone permissions & resulted in the user being bombarded with advertisements, he observed.
The new wave has a completely new app delivering “full-fledged spyware with premium features to spy on victim with ease,” Desai wrote.
When installed & opened, the new “Tik Tok Pro” spyware launches a fake notification which then disappears along with the app’s icon. “This fake notification tactic is used to redirect the user’s attention, meanwhile the app hides itself, making the user believe the app to be faulty,” he explained in his report.
The malware also has another anti-detection capability, in that it has an additional payload stored under the /res/raw/ directory, “a common technique used by malware developers to bundle the main payload inside the Android package,” Desai wrote.
The payload is just a decoy rather than possesses actual app functionality, he added.
The spyware’s main execution capability comes from an Android service named MainService, which acts as the “brain” of the spyware & controls its functionality ”from stealing the victim’s data to deleting it,” Desai wrote.
In addition to having the ability to take over common smartphone functions, such as capturing photos, sending SMS messages, executing commands, capturing screenshots, calling phone numbers & launching other apps on the device. The spyware also has a unique feature it uses to steal Facebook credentials.
Like phishing campaigns, “Tik Tok Pro” launches a fake Facebook login page that, as soon as the victim tries to log in, stores the victim’s credentials in /storage/0/DCIM/.fdat. An extra command, IODBSSUEEZ, then sends the stolen credentials to the malware’s command & control server.
Desai noted that this type of phishing tactic can be extended to steal other critical user credentials, such as bank-account or financial log-in data, though this type of activity was not actually seen in the observed campaign.
The new spyware has many functions similar to other more well-known versions of this type of malware, e.g. Spynote & Spymax, “meaning this could be an updated version of these Trojan builders, which allow anyone, even with limited knowledge, to develop functional spyware,” Desai concluded.
However, the Facebook credential-stealing capability is unique to “Tik Tok Pro” & not something that has been observed before with these spyware apps, he suggested.
The ease of using the TikTok brand to spread malware is likely the result of the current controversy over the popular video-sharing app, which is owned by China’s ByteDance & has been criticised for its questionable data-collection tactics.
President Trump has threatened to ban in the app in the US & several US companies including Microsoft & Wal-Mart are looking to a purchase of the app. India recently banned TikTok as well as many other Chinese apps over a political dispute.
“Users looking forward to using the TikTok app amidst the ban might look for alternative methods to download the app,” Desai wrote. “In doing so, users can mistakenly install malicious apps, such as the spyware mentioned in this blog.”
Desai repeated warnings to Android users not to trust unknown links received in SMS or other messages, & to only install apps from official stores like Google Play to avoid being a victim of the new spyware campaign.
Another mitigation method is to keep the “Unknown Sources” option disabled in the Android device, which will not let a device install apps from unknown sources, he further added.
To see if the new spyware is running undetected on an Android device, users can search for the app in device settings by going to Settings -> Apps -> Search for icon that was hidden and search for “TikTok Pro,” Desai advised.