iOS and Android scam apps spreading via TikTok

Jakub Vávra 22 Sep 2020

Rogue TikTok accounts are promoting adware scam apps posing as “Shock Roulette” and “Wallpaper” apps

When a 12-year-old girl in the Czech Republic suspected that something was off with a popular app that was circulating on TikTok, she knew what to do — report it to Avast. The Avast team followed up and found a total of seven adware scam apps that were available on both the Google Play Store and the Apple App Store. The apps have been downloaded more than 2.4 million times and are reported to have earned their creators around $500,000.

The Avast team found at least three profiles that are aggressively pushing the apps on TikTok, one of which has more than 300,000 followers. They also found an Instagram profile with more than 5,000 followers promoting one of the apps. Avast has reported the apps to Apple and Google and the accounts to TikTok and Instagram. 

The young person who reported the original scam app participated in Avast’s Be Safe Online project, which goes into Czech middle schools and teaches young people about online safety and how to advocate for themselves. Using the skills she learned in the program, the young lady was able to identify and report the scam directly to Avast.

Further reading: releases Covid-19 Threat Intelligence telemetry for the public

“This is a great example of this kind of education working,” Whitney Glockner Black, Communications Director at Avast, says. “Teach kids how to spot the bad things and they’ll spot them and report them.”

The apps are specifically targeted to young people, in the form of games, wallpaper, and music downloaders. The scams come in the form of either charging $2 to $10 for a service that doesn’t meet that price point — including causing the phone to vibrate, a wallpaper, or access to music — or in the form of aggressive ads. Some are HiddenAds trojans, which are apps that appear to be legitimate, but actually only exist to serve up advertisements outside of the app. HiddenAd trojans also have a built in hide-app timer, making it difficult to determine where the advertisements are coming from.

“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed,” Jakub Vávra, threat analyst at Avast, says. “It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them.”

Here are some tips on how kids and adults alike can protect themselves from scam apps

Pay attention to reviews

Sometimes other users will have identified the problem in a scam app before you even get there. When that happens, they’ll likely leave a negative review — so it’s worth it to give the reviews a quick scan and see what other people have to say before downloading. 

Additionally, the Avast team “also noticed the app developers have more apps, with very low downloads and reviews, but the handful of reviews they have are extremely positive and enthusiastic, which can also be a sign that something is suspicious,” Vávra says.

Be critical about price points

Before you pay for an app, ask yourself exactly what you’re paying for. A price point that’s out of line with the actual product being delivered is a good sign that the app is a scam.

“Many of these apps offer basic or unrealistic features, like simple games that claim to shock players, or wallpapers for around $8, a high amount considering games and features like this are often offered for free by other developers,” says Vávra.

Check permissions

Apps need various permissions in order to deliver whatever service they’re promising. So, for example, Google Maps needs your location — because that’s how it can tell you where to go. But one way that bad actors gain access to our devices is by asking for permissions they don’t need. It’s against both Google and Apple’s rules, but some do sneak through.

“The Android app ‘ThemeZone - Shawky App™’ requests access to a device’s external storage, which can include photos, videos, and files, depending on how the storage is used,” Vávra says. “Accessing external storage is not a must for a wallpaper app.”

So rather than just tapping “Allow,” the next time a new app asks for certain permissions, take a minute to think about whether or not it really needs that access. Does a weather app need to access your microphone? Nope. Does a wallpaper app need to access your storage? Nope. That’s a sign the app is likely a scam.

Talk about download safety

And, perhaps most importantly, talk to your kid about download safety. Educate yourself on the signs of scam apps and then share that info with your kids. You might even want to consider instituting a rule that your kids get permission before downloading anything — to not only avoid scams but also, “avoid potential unnecessary costs,” Vávra says. Learn more about our programs educating and keeping children safe online on our responsibility page.

Pushing back against bad actors online requires that we all participate — from 12-year-old middle school students to parents who are still aren’t quite sure what’s so appealing about TikTok. Educate, be aware, and report anything that looks suspicious and we can create a safer, more fun internet for everyone.

Related articles

--> -->