Attackers are creating fake links for the video-sharing application TikTok, which contain malware to capture user’s data.
According to Money Control, police in India have issued a warning about TikTok links, after links were sent through WhatsApp and SMS.
The attackers promote a ‘professional’ version of TikTok to Indian users, after the application was banned in the country earlier this year.
Christoph Hebeisen, director of security intelligence at Lookout, said: “When legitimate, popular channels to acquire a popular app are blocked for whatever reason, it presents an opportunity for malicious actors to lure victims by promising a way around the restriction.
“The removal of the TikTok app from both Google Play and the Apple App Store in India has created a similar situation. Users should limit their risk by only installing apps from the official app stores and using mobile security as an added layer of protection.”
The message was first spotted by Times of India and it read: “Enjoy Tiktok video and create creative videos once again. Now TikTok is only available in (TikTok Pro) then download from below.” This message has a link to download the TikTok Pro APK file.
After downloading, the app icon appears as the TikTok app and asks for permissions to functions including camera, image gallery and microphone. After you provide these permissions, the app doesn’t function and simply stays on your phone.
Chris Hauk, consumer privacy champion at Pixel Privacy, said phishing attacks like these will continue to prove to be fruitful until users are educated on the risks of clicking links in text messages, WhatsApp messages and emails. “When users are looking to download apps like TikTok they will find that legitimate sources of the apps will not ask for personal or financial information before allowing them to download a free app,” he said.
“As for myself, I would also be concerned as to what TikTok does with my data after I install the app, as it has been found to spy on the clipboard on iOS devices.”