On 29th June 2020, Government of India banned Android apps of Chinese origin from being used in the country citing safety and privacy issues. This list included TikTok, a video-sharing social networking application installed over millions of devices in India.

The cybercriminals are now taking advantage of users’ attraction and interest towards TikTok to deliver malware, yet another incident to add. Our researchers saw an increased number of detection reports in the name of the banned TikTok app since the end of July 2020, on sifting through our Telemetry data as shown in Figure 1. This ad scammer threat targets Jio users. 

Figure 1: Example Telemetry Data showing detection for Fake TikTok app

The fake TikTok app has the code within itself to spread via smishing messages as shown in Figure 2.

Figure 2: Spam SMS Message Content using CyberChef

When the user clicks on the link in the SMS, the fake TikTok APK is downloaded to the user’s device as shown in Figure 3.  

Figure 3: Phishing link for Fake Tiktok_Pro

At the time of writing this blog, these apps were observed to do nothing more than displaying advertisements to the users. Once installed, the fake Tiktok_Pro app displays a message to the user and asks the victim to enter username and password as shown in Figure 4. A point to note is that there is no validation done for the same and any username and password can be entered by the user, an effort just to trick the victim to trust the app. Probability is that a user might tend to enter his/her already registered TikTok (original) credentials instead of fake credentials as soon as they see TikTok. 

Figure 4: Prompts the User to Click on the Ad

Figure 5 shows requests sent to Jio’s official recharge APIs to verify if that is a Jio subscriber and to check the validity of the victim’s Jio phone number(s), This clearly shows that this malware has targeted only the Jio users.

Figure 5: Verification of victim’s subscribed network via Jio’s official Recharge APIs 

As explained in one of our earlier blog, this fake app further spreads by collecting the contact information from the victim’s device and forwarding a text message to all of the Jio numbers in the victim’s contact list as shown in Figure 6.

Figure 6:  Code to confirm a Jio Number in the victim’s contact list

Smishing message that is sent to the victim’s contact list is carried with the code as a TripleDES encrypted string as shown in Figure 7.

Figure 7: TripleDES Encrypted String

The message gets decrypted as shown in Figure 8 before it reaches the victim (Jio user).

Figure 8: Decrypted SMS Message from CyberChef interface

As mentioned earlier, these fake apps are just ad scammers, as of now, that force the user to click on the ad thereby generating revenue for the threat actors. K7 Mobile Security users have protection against these kinds of mobile threats. Android users are requested to install the latest version of K7 Mobile Security and keep it updated to protect themselves from the latest threats. Also, we recommend Android users to avoid believing in and installing applications from third party links. 

Indicators of Compromise (IoCs)

Package name HashDetection Name
Tiktok-Pro.apk cff71f90d9b04380483446eb862bdfef Trojan ( 0056adce1 )
Tiktok-Pro.apk a48aebeb2259e4f3d71205176b889dfeTrojan ( 00563cc21 )
Tiktok-Pro.apk af9d792c605f3e9a062629b9cf983109Trojan ( 00563cc21 )
Tiktok-pro.apk edb563fdcab0ab0580fdeefad6fff9adTrojan ( 00563cc21 )

Like what you're reading? Subscribe to our top stories.

If you want to subscribe to our monthly newsletter, please submit the form below.

    0 replies on “Fake TikTok App Targets Android Users”