Hackers using TikTok uncertainty to hide spyware

The Trump Administration's continued threats to ban TikTok in the United States, due to the company's Chinese origins, have received mixed reactions from social media and internet users in the United States and globally.

Hackers using TikTok uncertainty to hide spyware

The Trump Administration’s continued threats to ban TikTok in the United States, due to the company’s Chinese origins, have received mixed reactions from social media and internet users in the United States and globally. Most recently, Donald Trump has ordered ByteDance, the parent company of TikTok, to sell its U.S. TikTok assets and also issued executive orders that would ban TikTok, as well as WeChat, from operating in the U.S. 

After a series of delays, injunctions, and appeals, TikTok is still available on US app stores and, at the time of writing, 14 November 2020 will be the final deadline for halting all TikTok’s activities in the U.S. Whether that happens, and whether Trump remains in the White House to oversee it, remains unknown.

However, what is clear is that this additional focus on the TikTok app, and the confusion around its current status amongst users, has made it a tempting target for hackers. Often, when popular applications come under fire and are featured prominently in the news, hackers get excited as these newsworthy apps can become their latest target. These hackers use every opportunity to commit cybercrime and, with the U.S. election fast approaching and the majority of the news covering the event, cybercriminals will be certain to target technology spoken about by politicians and the media.  

Recent research from our ThreatLabZ team reveals this is indeed the case with TikTok.

Beware of fake TikTok

Generally, after an application gets banned from an official app store, such as Google Play, users try to find alternative ways to download the app, mainly from third-party websites. In doing so, users can become victims to malicious apps portraying themselves as the original app. Recently there has been a huge wave of SMS messages, as well as WhatsApp messages, making the rounds in group chats and individually, asking users to download the latest version of TikTok at an unknown and unconvincing link address-unfortunately, many people are still downloading this malicious app anyway. 

In reality, this downloaded app is a fake app that asks for credentials and Android permissions, including camera and phone permissions, resulting in the user being bombarded with advertisements-a simple, but effective way of using an item on the international news to cause a hugely convincing phishing scam. 

Recently, the Zscaler ThreatLabZ team came across another variant of this app portraying itself as TikTok Pro. Once investigated a little further, it become clear that this was not just a normal phishing app, but instead full-fledged spyware with premium features to spy on a victim with ease.

Technical analysis 

When it’s installed on a smartphone or tablet, the spyware portrays itself as TikTok, but using the name TikTok Pro. As soon as a user downloads and tries to open the app, it launches a fake notification. Shortly after the initial clicks, the notification, as well as the app icon on the home screen, disappear. This fake notification tactic is used to redirect the user’s attention, meanwhile the app hides itself in the internal storage of the device, making the user believe the app to be faulty. 

Behind the scenes, there are number of process occurring simultaneously. First, an activity named MainActivity starts up, hiding the icon and showing the fake notification. It also starts an Android service named MainService. 

The spyware also appears to have an additional load stored under a new folder. This is a common technique used by malware developers to bundle the main load inside the Android or device package to avoid easy detection from users.

Upon further analysis, the ThreatLabZ team discovered that there is a decoy functionality, and that no new load was generated from this particular suspicious app. Going slightly further, the team were able to rebuild the malware to execute the apparent functionality of generating a payload, but discovered that the APK stored in one of the directories was empty. The cybercriminals likely placed this decoy functionality to confuse the malware researchers; however, it is also possible that this functionality on the malware is under development, making this placeholder code incomplete.

On the execution of the app, once the spyware hides itself, it starts an Android service named MainService. Android services are components that can be made to execute independently in the background without the victim’s knowledge. MainService is the brain of this spyware and controls almost everything-from stealing the victim’s data to deleting it. As MainService is the main controller, the developer of the malware has always taken the appropriate actions to keep it functional and running. 

Facebook Phishing 

One of the interesting features of this spyware is its ability to steal Facebook credentials using a fake login page, similar to phishing. Upon receiving the command GUIFXB, the spyware launches a fake Facebook login page, and as soon as the victim tries to log in, it stores the victim’s credentials. This functionality can be easily extended to steal other information, such as bank credentials, although in this attack, it does not look as if banks are being targeted. 

Upon further research, the ThreatLabZ team found spyware that was to be developed by a framework similar to Spynote and Spymax, meaning it could be an updated version of Trojan builders, which allow anyone, even with limited knowledge, to develop full-fledged spyware. 

Many of the functionalities seen in this spyware are similar to Spynote and Spymax based on the examples analysed in the past by the team. However, this time around, it does contain some adjustments. By doing this, attackers can easily set up the Trojan to communicate back to them without any need for high-end servers. Other common functionalities include implementing instructions received from the malware actors, taking screenshots of the victim’s device, fetching locations, stealing SMS messages-these are the most common threats that spyware poses to the individual.

Remaining vigilant 

As Android devices are very popular and used across the globe with relevant confidence in the brand and software, it is very easy for attackers to victimise Android users, as it’s unlikely they will suspect malware in the Google Play store. In such situations, mobile users should always take the highest amount of precautions whilst downloading any applications from the internet. As demonstrated in this research, it is very easy to trick victims to fall for such attacks, especially when that app is on the news agenda and highly popular. 

Users looking forward to using the TikTok app, if the ban does come into practice, may look for alternative methods to download it. In doing so, users can mistakenly install malicious apps, such as the spyware discussed in this article. The precautions users should be taking online have been covered extensively but it is important that everyone knows how to be safe when downloading and surfing on the web. It is vital that users ensure all apps are installed from official stores, such as Google Play, and never click on unknown links received through ads, SMS messages, or emails. Lastly, always keep the “Unknown Sources” option disabled. This disallows apps to be installed on your device from unknown sources. 

As we begin to spend more time indoors, surfing the web, and downloading apps to keep us busy throughout this period, it is important we all stay vigilant and understand how attackers use items in the news or circulating on social media to infect devices with malware. 

Deepen Desai
Deepen Desai

Share via
Copy link