Rogue TikTok accounts promoting adware scam apps posing as “Shock Roulette” and “Wallpaper” apps

September 23, 2020

At least three TikTok profiles with more than 350,000 followers combined have been promoting multiple fraudulent mobile apps that generated $500,000 in profit, according to an Avast report.

The Avast team found a total of seven adware scam apps that were available on both the Google Play Store and the Apple App Store. The apps have been downloaded more than 2.4 million times and are reported to have earned their creators around $500,000.

At least three profiles are aggressively pushing the apps on TikTok, one of which has more than 300K followers, the team discovered. They also found an Instagram profile with more than 5,000 followers promoting one of the apps. Avast has reported the apps to Apple and Google and the accounts to TikTok and Instagram.

“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed,” Jakub Vávra, threat analyst at Avast, says. “It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them.”

According to Ben Pick, Senior Application Security Consultant at nVisium, a Falls Church, Virginia-based application security provider, using TikTok profiles for promoting scam apps is only the latest vector of abusing popular channels to capture profit from unsuspecting supporters.

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, also notes that this is a form of social engineering that uses the influence of these accounts to convince people to download malicious apps. "It's far less targeted than the social engineering we're used to seeing, but it executes the same process with the same end goal in mind. Threat actors could easily use this same strategy to distribute a more invasive form of mobile malware such as spyware," Schless says. "We frequently see threat actors leverage social situations to their advantage. In this case, they know people rushed to download TikTok ahead of the ban, and these new users look for influencers to follow when they sign up for the app. This varies from the type of malicious activity we saw in India after they were one of the first countries to ban the app."

When India banned the app, cybercriminals distributed a fake version of the “TikTok Pro” app via social media, SMS, and messaging platforms within a week of the nation banning the real TikTok app. This was the more targeted form of social engineering that we are used to seeing.

Lookout conducted an in-depth analysis of the fake TikTok Pro app distributed in India and found that it had similar data collection capabilities as the real TikTok app such as access to location, device sensor data, and contacts, but could never be opened. "The fake app was a piece of toll fraud malware. Because it is a smaller file size (2.2 MB) versus the real TikTok app (55.2 MB), it is cheap, fast, and easy for malicious actors to deliver to victims. The threat actor behind the fake TikTok Pro app in India was able to build and distribute the app in a very short time frame once the ban went out," Schless says. "This exemplifies how cybercriminals could take advantage of a similar situation in the U.S. and profit from the public’s desire for the app or to steal personal data."

"The best method to not be susceptible is to verify the app being downloaded and not click a link directly from a user's profile," Pick says. "Check for excessive permissions and numerous bad reviews to prevent downloading similar scam or outright malicious apps. Unfortunately, this issue will not be going away as there is nothing stopping anyone from advertising their own interests or paid apps.”

"The expansion of tactics that we're seeing in such a short time is frightening," Schless notes. "In order to protect yourself against these rapidly evolving threats, you should be sure to have a mobile security tool on your smartphone that can protect you from the inevitable phishing and malware attacks associated with TikTok.”

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.