Girl flags massive iOS ad scam campaign targeting kids

Credit: Benjamin Sow

A tip from a child helped security researchers discover an aggressive scam and adware campaign on both iOS and Android that was being promoted on TikTok and Instagram.

Researchers from Avast Security discovered the malicious apps when a girl found a TikTok profile that appeared to be promoting an abusive app and reported it. The apps had been downloaded a combined 2.4 million times on the App Store and Google Play.

The apps posed as platforms for entertainment, music downloads, or wallpapers. They served intrusive ads, even when they weren't open in the foreground. And according to the report from Avast, they also used sly tactics to prevent users from uninstalling them.

Avast classified the apps as HiddenAds trojans. The trojan "that disguises itself as a safe and useful application but instead serves intrusive ads outside of the app, and hides the original app icon making it difficult for users to identify where the ads are being served from." Some of them also charged high prices for a download, between $5 to $10.

Many of the fraudulent apps were being promoted by a handful of TikTok and Instagram users, one of which had more than 300,000 followers. According to data from analytics firm SensorTower, the campaign netted more than $500,000 for the person or people behind the scam.

"We thank the young girl who reported the TikTok profile to us, her awareness and responsible action is the kind of commitment we should all show to make the cyberworld a safer place," said Avast threat analyst Jakub Vavra.

The apps violated both App Store and Google Play terms of service by serving ads outside of the app, hiding their app icons, and making false app functionality claims. Avast has reported the apps to Apple and Google, and the social media profiles to Instagram and TikTok.

"It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them," Vavra said.

Google has reportedly removed the apps from the Google Play Store. But as of the writing of this article, many of the fraudulent iOS apps are still available on the App Store.

Follow AppleInsider on Google News

19 Comments

ihatescreennames

said about 3 years ago

How does “serving ads outside of the app” work? I don’t think I have seen that happening myself so I’m having a little trouble wrapping my head around it. Wouldn’t an app only be able to display an ad in the app?

sflocal

said about 3 years ago

I personally feel that Apple is not taking the security of its users seriously in action, compared to what it’s marketing department says.

Apple needs to start a very public campaign of cleaning out the App Store of these sketchy apps, and not limit itself to revoking the developer accounts of these apps, but also banning the actual developers themselves from ever being allowed back into developing apps for the App Store. That’s a hard - if not impossible task, but come on Apple. Last thing Apple needs is damaged trust.

Without consequences, they will continue doing it. There is just so much garbage out there.

ihatescreennames

said about 3 years ago

sflocal said:

I personally feel that Apple is not taking the security of its users seriously in action, compared to what it’s marketing department says.

Apple needs to start a very public campaign of cleaning out the App Store of these sketchy apps, and not limit itself to revoking the developer accounts of these apps, but also banning the actual developers themselves from ever being allowed back into developing apps for the App Store. That’s a hard - if not impossible task, but come on Apple. Last thing Apple needs is damaged trust.

Without consequences, they will continue doing it. There is just so much garbage out there.

You say hard to impossible, I totally agree. Maybe they are doing that sort of thing and just not touting it.

As to the “hard to impossible” side of it, consider this: I have 1 game on my phone that I play a couple times a day. It has a “league” where it’s possible to complete with other players but do it requires signing in using a Facebook or Google account, neither of which I have. The latest update for the game came out yesterday and there is still no way to use “Sign In with Apple”, which I thought was supposed to be a requirement by now. Clearly, Apple has not caught that in this app, or I don’t fully understand what the requirements around SIwA are. But if they haven’t caught that, which seems relatively easy on the surface, then it must be much, much harder to catch the sort of app that this article references.