Malicious mobile apps can pose a problem for any smartphone owner. Such apps typically masquerade as legitimate programs in an attempt to entrap unsuspecting downloaders with malware, adware, and other threats. A new series of malicious apps designed for both iOS and Android are being promoted by rogue TikTok accounts as a way to gain a wide audience.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
In a blog posted on Tuesday, security provider Avast explained how these malicious scam apps work.
The apps are being aimed at young people by impersonating games, wallpaper, and music downloaders. To scam unsuspecting users, the apps will in some cases charge $2 or $10, ostensibly for a service not worth that amount of money.
In other cases, the apps act as HiddenAds trojans, which are programs that seem to be legit but exist only to deploy ads outside of the app. These HiddenAd trojans also come with timers that hide them at different periods, making it harder to find the source of the ads.
Digging further, Avast found at least three TikTok profiles aggressively pushing the apps, one of which has more than 300,000 followers. An Instagram profile with more than 5,000 followers was also uncovered in its effort to promote the apps.
Among the seven different such apps available on both the Google Play Store and the Apple App Store, Avast discovered that they’ve been downloaded more than 2.4 million times and reportedly have earned their cybercriminal developers around $500,000.
The initial scam app was reported to Avast by a 12-year-old girl in the Czech Republic who thought it was suspicious, according to the company. The girl had participated in Avast’s Be Safe Online project, which teaches young people in the Czech Republic about online safety and shows them how to report a scam to the company.
The seven malicious apps identified by Avast are: 1) ThemeZone – Shawky App Free – Shock My Friends, 2) Tap Roulette ++Shock my Friend, 3) Ulimate Music Downloader – Free Download Music, 4) Shock My Friends – Satuna, 5) 666 Time, 6) ThemeZone – Live Wallpapers, and 7) shock my friend tap roulette v. All the apps have since been removed with the exception of Tap Roulette ++Shock my Friend, which is still available on Google Play.
The accounts used to promote the apps are: 1) 7odestar (Tik Tok), 2) Dejavuuu.es3 (Tik Tok), 3) Marina90lazina (Tik Tok), and 4) Shockmyfriends.app (Instagram). All three Tik Tok accounts have been taken down but the Instagram account is still up.
Avast said it reported the malicious to Apple and Google and the accounts that promote them to TikTok and Instagram.
“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed,” Jakub Vávra, threat analyst at Avast, said in a press release. “It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them.”
To help smartphone users avoid malicious scam apps, Avast offers the following tips:
Pay attention to reviews. Sometimes other users will have identified the problem in a scam app before you even get there. When that happens, they’ll likely leave a negative review. Give the reviews a quick scan and see what other people have to say before downloading.
Watch out for low downloads and positive reviews. In some cases, developers of malicious programs have more apps but with very few downloads or reviews. Yet the small number of reviews are all overwhelmingly positive and enthusiastic, a sign of something suspicious, according to Vávra.
Be critical about price points. Before you pay for an app, ask yourself exactly what you’re paying for. A price point that’s out of line with the actual product being delivered is a good sign that the app is a scam. Apps posing as simple programs such as games and wallpapers may carry a price tag of around $8, an unrealistic amount considering that similar legitimate apps are typically free, according to Vávra.
Check permissions. Apps need various permissions to deliver whatever service they’re promising. For example, Google Maps needs your location as that’s how it can tell you where to go. But one way bad actors gain access to devices is by asking for permissions they don’t need. The next time a new app asks for certain permissions, take a minute to think about whether or not it really needs that access
“The Android app ‘ThemeZone – Shawky App’ requests access to a device’s external storage, which can include photos, videos, and files, depending on how the storage is used,” Vávra said. “Accessing external storage is not a must for a wallpaper app.”