Mike Peterson
A tip from a child helped security researchers discover an aggressive scam and adware campaign on both iOS and Android that was being promoted on TikTok and Instagram.
Researchers from Avast Security discovered the malicious apps when a girl found a TikTok profile that appeared to be promoting an abusive app and reported it. The apps had been downloaded a combined 2.4 million times on the App Store and Google Play.
The apps posed as platforms for entertainment, music downloads, or wallpapers. They served intrusive ads, even when they weren't open in the foreground. And according to the report from Avast, they also used sly tactics to prevent users from uninstalling them.
Avast classified the apps as HiddenAds trojans. The trojan "that disguises itself as a safe and useful application but instead serves intrusive ads outside of the app, and hides the original app icon making it difficult for users to identify where the ads are being served from." Some of them also charged high prices for a download, between $5 to $10.
Many of the fraudulent apps were being promoted by a handful of TikTok and Instagram users, one of which had more than 300,000 followers. According to data from analytics firm SensorTower, the campaign netted more than $500,000 for the person or people behind the scam.
"We thank the young girl who reported the TikTok profile to us, her awareness and responsible action is the kind of commitment we should all show to make the cyberworld a safer place," said Avast threat analyst Jakub Vavra.
The apps violated both App Store and Google Play terms of service by serving ads outside of the app, hiding their app icons, and making false app functionality claims. Avast has reported the apps to Apple and Google, and the social media profiles to Instagram and TikTok.
"It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them," Vavra said.
Google has reportedly removed the apps from the Google Play Store. But as of the writing of this article, many of the fraudulent iOS apps are still available on the App Store.
Wesley Hilliard
Marko Zivkovic
William Gallagher
Malcolm Owen
Mike Wuerthele and Malcolm Owen
Andrew O'Hara
Amber Neely
Andrew Orr
19 Comments
How does “serving ads outside of the app” work? I don’t think I have seen that happening myself so I’m having a little trouble wrapping my head around it. Wouldn’t an app only be able to display an ad in the app?
I personally feel that Apple is not taking the security of its users seriously in action, compared to what it’s marketing department says.
Apple needs to start a very public campaign of cleaning out the App Store of these sketchy apps, and not limit itself to revoking the developer accounts of these apps, but also banning the actual developers themselves from ever being allowed back into developing apps for the App Store. That’s a hard - if not impossible task, but come on Apple. Last thing Apple needs is damaged trust.
Without consequences, they will continue doing it. There is just so much garbage out there.
How does an installer hide the app icon? I think that's one of the more scary things to come out of this article.
This girl deserves a scholarship for her good work.