Hackers Installing Spyware on Android Devices That Masquerading as TikTok”Pro”

Recently, the security researchers have uncovered a new Android spyware campaign in which they found that hackers are using a “Pro” version of the TikTok app to install spyware on Android devices. 

Recently India banned a TikTok App by taking a huge step against Chinese technology dominance in India and ensure national security and protect the privacy of billions of Indians.

In this malicious campaign, the experts have discovered that hackers are exploiting fears in users that TikTok is going to be banned in the United States. 

Beware of TikTok Pro

After the news, President Trump and security experts started to worry that TikTok might be a spyware, but here, a bogus “TikTok Pro” Android app is the exceeding the trait. 

The main motto of this Tik Tko pro app is to steal all text messages, photos, locations, Facebook passwords, and take screenshots. Moreover, it can also click into your microphone, make calls, send texts, and originate many other apps as well.

The security researchers from Zscalar stated that the users must beware of the Tik Tok Pro, as this spyware app is being backed and supported by the threat actors. However, the threat actors are using a modification of a campaign now, and they are making the rounds already.

MainActivity and MainService

The MainActivity of the spyware lights up, exerting care of protecting the icon and displaying all the fake notification. Not only this, but it also starts an Android service named MainService. That’s why on the other side, once the spyware stores, it begins an Android service that is named MainService.

Android services are the elements that can be performed to administer separately in the background, outwardly the victim’s awareness. The researchers said that the MainService is the head of this spyware and regulates all its operations from stealing the user’s data to deleting it.

Technical Details of TikTok Pro

The technical details of this spyware are mentioned below:- 

  • App Name: TikTok Pro
  • Hash: 9fed52ee7312e217bd10d6a156c8b988
  • Package Name: com.example.dat.a8andoserverx

Broadcast Receivers

In this campaign, the threat actors have used multiple tricks and ideas, and among all these tricks, Android’s broadcast receivers are one of them. Broadcast receivers are elements that enable you to designate multiple Android issues. 

In the case of Tik Tok Pro, it registers three broadcast receivers, and here they are mentioned below:-

  • MyReceiver – It comes when the device is booted.
  • Intercept Call – It comes on incoming and outgoing calls.
  • AlarmReceiver – It is applied in every three minutes.

Capabilities of MainService

The MainService is the primary manager of this spyware, as it handles every functionality that is based on the commands conveyed by the command and control (C&C) server.

There are some capabilities of MainService that we have mentioned below:-

  • Rob SMS messages
  • Send SMS messages
  • Steal the victim’s location
  • Capturing photos
  • Perform commands
  • Capture screenshots
  • Call phone numbers
  • Start other apps
  • Steal Facebook credentials.

Commands Purveyed by The C&C server

There is a list of all the commands catered by the C&C server that we have mentioned below:-

UnistxcrStart the app
dowsizetrSend the file kept in the /sdcard/DCIM/.dat/ directory to the C&C server
CaspylistxHave a full list of all hidden files in the /DCIM/.dat/ directory
spxcheckCheck whether the spyware collects call details
S8p8y0Remove all call details that is kept by the spyware
screXmexTake a screenshots of the device screen
BatrxiopsExamine the battery status
L4oclOCMAWSGet the victim’s location
GUIFXBCreate a fake Facebook login page
IODBSSUEEZTransfer a file having stolen Facebook credentials to the C&C server
FdelSRRTRemove the files having the stolen Facebook credentials
chkstzeawInstall Facebook
LUNAPXERInstall the apps according to the package name transferred by the C&C server
GapxplisterHave a full list of all installed applications
DOTRall8xxeGet all the stolen files and kept in the /DCIM/.dat/ directory
AcouxacourHold a full list of accounts on the victim’s device
FimxmiisxIniti the camera
Scxreexcv4Click an image
micmokmi8xRecord an audio
YufssspHave a latitude and longitude
GExCaalsss7Have call logs
PHOCAs7Call phone numbers sent by the C&C server
GxextsxmsHave a list of inbox SMS messages
MsppossagTransfer SMS with a message body that is sent by the C&C server
GetconstactxHave a list of all contacts
RinxgosaPlay a ringtone
bithsssp64Performs all commands that are sent by the C&C server
DOWdeletxRemoves all the file implemented by the C&C server
Deldatall8Remove all files stored in the /sdcard/DCIM/.dat/ directory

Apart from this, the security researchers have asserted that this spyware came with various functions that involve Facebook Phishing, Calling functionality, and stealing SMS, but there are many more functionalities available that allows this spyware to perform further operations.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read: TikTok Secretly Sent Users Sensitive Private Data & PII Number to Chinese Server Including Draft Videos

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.