TikTok’s days as a viable social media platform might be numbered, at least in the U.S. (unless something changes before Trump’s recent executive order kills it for good), but the app still works for now, and its massive user base is as active as ever. And that includes shady app developers who are using the platform to spread scams and malware.
A child in the Czech Republic recently reported a suspicious app and the accounts distributing them to Avast’s Be Safe Online program, prompting a deeper investigation. Avast found numerous TikTok and Instagram profiles being used to promote malicious apps. Some install adware on your device, and others attempt to scam people into making unnecessary in-app purchases. They’re easy to trace, though, as they were all made or distributed by the same developers on iOS and Android.
The shady apps Avast discovered include:
- Tap Roulette ++Shock my Friend
- ThemeZone – Shawky App Free – Shock My Friends
- Ultimate Music Downloader – Free Download Music
- 666 Time
- shock my friend tap roulette v
- Shock My Friends – Satuna
- ThemeZone – Live Wallpapers
These apps have many of the hallmarks of fake or malware-laden products: incomprehensible SEO-padded titles, redundant or unnecessary features, and in-app purchases for content that’s freely available elsewhere. Avast also found at least three TikTok accounts and one Instagram account promoting the apps, some of which had over 300,000 followers.
As Avast writes:
“The apps are specifically targeted to young people, in the form of games, wallpaper, and music downloaders. The scams come in the form of either charging $2 to $10 for a service that doesn’t meet that price point — including causing the phone to vibrate, a wallpaper, or access to music — or in the form of aggressive ads. Some are HiddenAds trojans, which are apps that appear to be legitimate, but actually only exist to serve up advertisements outside of the app. HiddenAd trojans also have a built in hide-app timer, making it difficult to determine where the advertisements are coming from.”
Apple and Google will likely ban the apps from their stores, which will disable them from being installed on most devices (you’ll need to delete them manually if they were sideloaded), and the TikTok and Instagram accounts will probably be removed if they weren’t already.
That doesn’t mean the threat is gone, though. Unfortunately, TikTok, Instagram, and other social media platforms are easy avenues for distributing scams, malware, and phishing campaigns, so threats like these will probably always exist.
It’s ultimately up to you to keep yourself safe, but you might want to reach out to the younger, hipper, more TikTok/’gram-crazy members of your household to give them a helpful refresh on device security. Those more prone to blindly tapping prompts on their devices could benefit from a helpful lesson about permissions, too: what different kinds of apps typically should be asking to access in order to do whatever they are supposed to so, and what requests are red flags for potential security and privacy violations. If an app requests a lot of money to enable a pointless feature, that’s a good sign it’s a scam, too.
If you need a refresher, we have assembled tips for spotting shady apps, phishing schemes, malware, and other online scams. If you’re a parent, make sure you’re always including data security and malware in your discussions of internet safety with your children.