'Tik Tok Pro' Malware Description
The popularity of the Chinese application TikTok swept the world and turned it into a pop-culture phenomenon. Following President Trump's remarks that he might impose a ban on the application, however, has made TikTok's future in the US quite uncertain. This opens a prime opportunity for hackers to exploit TikTok's users' fear of losing access to the application to deliver fake or outright threatening applications. Indeed, the cybersecurity analysts at Zscaler detected a threatening campaign doing exactly that.
Initially, the threatening campaign used SMS and WhatsApp messages to directed users to supposedly download the latest TikTok update for TikTok hosted on a private server at hxxp://tiny.cc/TiktokPro. However, what users installed on their devices was essentially an adware application that attempts to get user credentials and receive Android permissions to flood the compromised device with advertisements.
In later waves of the campaign, the hackers substituted the delivered payload with one vastly expanded tool kit dubbed TikTok Pro Malware. This new threat is fully-functional spyware that can extract private data from the compromised devices. Upon installation, the malware threat pretends to be the TikTok application, although the name used by it is TikTok Pro. When the user executes it, the TikTok Pro Malware displays a fake notification designed to distract the user while the threatening application hides its icon and disappears from the device's screen. Another anti-detection technique employed by the TikTok Pro malware is the use of a second decoy payload that doesn't possess any functionality. The dummy payload is stored at the /res/raw/ directory.
The TikTok Pro Malware has Unique Facebook Phishing Functions
The TikTok Pro is a powerful spyware that leverages the Android service called MainService to carry out a multitude of insidious actions: collect SMS messages and the device's location, send SMS messages and initiate phone calls, capture photos and screenshots of the device's screen, execute commands, and start other applications, etc. All collected data is placed in external storage at the /DCIM/.dat/ directory.
Apart from the typical features found in most sophisticated spyware threats, the TikTok Pro is equipped with the unique functionality to collect Facebook credentials through methods similar to phishing. Users are presented with fake Facebook login page that stores any credentials inputted into it at /storage/0/DCIM/.fdat immediately. It should be noted that the same tactic could be modified to target banking credentials or other details easily. All collected data is sent to the Command-and-Control (C2) infrastructure set up by the hackers.
No matter how desperate users could be to gain access to a certain application, it is paramount to remember that downloading any application from a dubious or suspicious source is extremely threatening.