A tip from a child helped security researchers discover an aggressive scam and adware campaign on both iOS and Android that was being promoted on TikTok and Instagram.
Researchers from Avast Security discovered the malicious apps when a girl found a TikTok profile that appeared to be promoting an abusive app and reported it. The apps had been downloaded a combined 2.4 million times on the App Store and Google Play.
The apps posed as platforms for entertainment, music downloads, or wallpapers. They served intrusive ads, even when they weren't open in the foreground. And according to the report from Avast, they also used sly tactics to prevent users from uninstalling them.
Avast classified the apps as HiddenAds trojans. The trojan "that disguises itself as a safe and useful application but instead serves intrusive ads outside of the app, and hides the original app icon making it difficult for users to identify where the ads are being served from." Some of them also charged high prices for a download, between $5 to $10.
Many of the fraudulent apps were being promoted by a handful of TikTok and Instagram users, one of which had more than 300,000 followers. According to data from analytics firm SensorTower, the campaign netted more than $500,000 for the person or people behind the scam.
"We thank the young girl who reported the TikTok profile to us, her awareness and responsible action is the kind of commitment we should all show to make the cyberworld a safer place," said Avast threat analyst Jakub Vavra.
The apps violated both App Store and Google Play terms of service by serving ads outside of the app, hiding their app icons, and making false app functionality claims. Avast has reported the apps to Apple and Google, and the social media profiles to Instagram and TikTok.
"It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them," Vavra said.
Google has reportedly removed the apps from the Google Play Store. But as of the writing of this article, many of the fraudulent iOS apps are still available on the App Store.