Analysis of TikTok Scam

Unmasking the TikTok Scam

Introduction:

    After the ban of TikTok by Indian Government, scammers are using this as a opportunity to distribute a malware named as TikTok Pro. Many users reported a SMS coming from their friends or other contacts to download the app. Recently, Telangana Police & Maharashtra Cyber Cell tweeted  about this incident. This blog will be my technical analysis of the malware sample spreading via SMS.

 Maharashtra Cyber Cell Advisory



Technical Analysis:

Main Activity:

    Once the app is downloaded & executed it starts the MainActivity and sleeps for 2000s and later it calls login class to show the login form which looks similar to official TikTok app.

Main Activity

Login.Class:

    After calling the login class, the app checks for all the required permissions. If the check is passed it displays a login form which accepts any username or password having length greater than 3 and shows a fake message "Checking Username and Password... "  while calling the loadnextAd() function.

Required Permissions


Login Form

    The loadnextAd() function starts the Applovin Ad listener and displays a full screen Ad on the phone which must be watched completely to proceed further.

 Load Ad

    While displaying the ad on the screen, the app starts two services in background by calling Act.class & Special.class.

Act.Class:

     Act class is a main module of the malware which has the capability to spread the malware by sending text messages to the contacts of the infected user. 
    This class contains a string which is encrypted by TripleDES with a key "ThisIsSpartaThisIsSparta". The String is nothing but the message send through SMS to the contacts which gets decrypted in runtime.

Encrypted Message

The Message once decrypted looks like the one shown in the Advisory above. This class also sends the above message via SMS depending on the network operator. It checks for the network operator as shown below, 

Network Operator Check


It also sends a POST request to Jio API to check if the user is a Prime user for checking if it can send the SMS to the contacts.

Jio Prime Check


If every check is passed it starts to send SMS to every phone no. available in contact list.

Sending SMS


Special.Class:

    Special.class has the capability to load full screen full screen video Ads and to force the user to watch it complete before proceeding further by showing a fake message "Watch full Video and install app to activate Tiktok"


Loading Video Ads

Malware Distribution Site:

The link shortener resolves to a github page where the malware is uploaded by a user "newtechnews" under the repository "Tiktok". The user doesn't have any other repositories and the github page is still not removed at the time of writing the blog.

Github Page


Conclusion:

    This Malware is basically a SMS Worm which installs and spreads itself via sms. It's main motive is to load the ads and earn the revenue by spreading itself to maximum no. of devices. There is no trace of stealing the login information of the TikTok users.

IOCs:

Hash: DE1CC17586FC8662A81A7901BE40D68CDEE95576  (Discovered by ESET)

Domain:  https://github[.]com/newtechnews/tiktok/blob/master/Tiktok%20Pro[.]apk






Comments

Popular posts from this blog

Analysis of Dcry Ransomware