ra2 studio - stock.adobe.com

Scam mobile apps spreading via rogue TikTok accounts

Malicious TikTok accounts are promoting a number of adware scam mobile apps

Malicious app developers are exploiting TikTok’s popularity among under-18s to promote adware scam applications, according to Czech security firm Avast, which has uncovered apps with over 2.4 million downloads between them on the Apple App Store and Google Play Store after receiving a report through its local Be Safe Online project.

The apps pose as entertainment apps, including games purporting to “shock your friends” that actually just cause the device to vibrate (something it is perfectly capable of doing without an app), and wallpaper and music downloaders that are in fact HiddenAds trojans serving intrusive ads outside of the downloaded app.

People who download them are charged between $2 and $10 for the privilege, and the trick has netted the person or persons behind the apps over $500,000 to date – according to data sourced from app data specialists Sensor Tower.

At least three active profiles on TikTok are pushing the apps – one of them with over 300,000 followers – as well as Instagram pages. All seem to have been developed by the same person or group, variously identified as Abdelsatar Abdalmotaleb, Go Best or Moteleb Inc. All the apps and profiles have been flagged to the relevant platforms.

“We thank the young girl who reported the TikTok profile to us; her awareness and responsible action is the kind of commitment we should all show to make the cyber world a safer place,” says Jakub Vávra, threat analyst at Avast.

“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed.

“It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognise some of the red flags surrounding the apps and therefore may fall for them,” said Vávra.

Read more about mobile app security

  • In May 2020, SearchSecurity’s Risk & Repeat podcast examined the rise of mobile voting apps and how security experts have expressed concerns about the risks deploying the technology for elections.
  • A variant of the dangerous StrandHogg vulnerability affecting Android phones could allow hackers to access almost all apps on a target device.
  • Mobile admins must understand the nature of the most recent Android security threats so they can protect users, but it's crucial to know where these verified threats are listed.

The seven apps to be avoided are called ThemeZone – Shawky App Free – Shock My Friends; Tap Roulette ++Shock my friend; Ulimate Music Downloader – Free Download Music; Shock My Friends – Satuna; 666 Time; ThemeZone Live Wallpapers; and Shock My Friend Tap Roulette V.

All of them have notably low ratings and low numbers of reviews, which can both be warning signs of a scam app. Other things to look out for can include negative reviews citing excessive ads or low functionality of the alleged feature set – although equally extremely positive reviews can also be a tip-off that not something is right.

Besides being alert to ratings and reviews, users should check what permissions apps are seeking before downloading them, and consider what makes sense. For example, ThemeZone – Shawky App asks for access to external storage, such as photos, videos and files, which is not necessary for what it purports to do.

Users should consider what it is they are paying for and if the price tag makes sense considering what is on offer “Many of these apps offer basic or unrealistic features, like simple games that claim to shock players, or wallpapers for around $8, a high amount considering games and features like this are often offered for free by other developer,” said Vávra.

It should go without saying that children should not be permitted to download any paid-for app or additional features without parental supervision, so the responsibility for querying payment does rest with the parent.

“It’s important for parents to speak to their children about apps and what to look out for before downloading an app, or make it a rule for children to ask for permission before allowing them to download an app, to avoid potential unnecessary costs,” added Vávra.

Read more on Hackers and cybercrime prevention