Recently, the security researchers have uncovered a new Android spyware campaign in which they found that hackers are using a “Pro” version of the TikTok app to install spyware on Android devices.
Recently India banned a TikTok App by taking a huge step against Chinese technology dominance in India and ensure national security and protect the privacy of billions of Indians.
In this malicious campaign, the experts have discovered that hackers are exploiting fears in users that TikTok is going to be banned in the United States.
Beware of TikTok Pro
After the news, President Trump and security experts started to worry that TikTok might be a spyware, but here, a bogus “TikTok Pro” Android app is the exceeding the trait.
The main motto of this Tik Tko pro app is to steal all text messages, photos, locations, Facebook passwords, and take screenshots. Moreover, it can also click into your microphone, make calls, send texts, and originate many other apps as well.
The security researchers from Zscalar stated that the users must beware of the Tik Tok Pro, as this spyware app is being backed and supported by the threat actors. However, the threat actors are using a modification of a campaign now, and they are making the rounds already.
MainActivity and MainService
The MainActivity of the spyware lights up, exerting care of protecting the icon and displaying all the fake notification. Not only this, but it also starts an Android service named MainService. That’s why on the other side, once the spyware stores, it begins an Android service that is named MainService.
Android services are the elements that can be performed to administer separately in the background, outwardly the victim’s awareness. The researchers said that the MainService is the head of this spyware and regulates all its operations from stealing the user’s data to deleting it.
Technical Details of TikTok Pro
The technical details of this spyware are mentioned below:-
- App Name: TikTok Pro
- Hash: 9fed52ee7312e217bd10d6a156c8b988
- Package Name: com.example.dat.a8andoserverx
In this campaign, the threat actors have used multiple tricks and ideas, and among all these tricks, Android’s broadcast receivers are one of them. Broadcast receivers are elements that enable you to designate multiple Android issues.
In the case of Tik Tok Pro, it registers three broadcast receivers, and here they are mentioned below:-
- MyReceiver – It comes when the device is booted.
- Intercept Call – It comes on incoming and outgoing calls.
- AlarmReceiver – It is applied in every three minutes.
Capabilities of MainService
The MainService is the primary manager of this spyware, as it handles every functionality that is based on the commands conveyed by the command and control (C&C) server.
There are some capabilities of MainService that we have mentioned below:-
- Rob SMS messages
- Send SMS messages
- Steal the victim’s location
- Capturing photos
- Perform commands
- Capture screenshots
- Call phone numbers
- Start other apps
- Steal Facebook credentials.
Commands Purveyed by The C&C server
There is a list of all the commands catered by the C&C server that we have mentioned below:-
|Unistxcr||Start the app|
|dowsizetr||Send the file kept in the /sdcard/DCIM/.dat/ directory to the C&C server|
|Caspylistx||Have a full list of all hidden files in the /DCIM/.dat/ directory|
|spxcheck||Check whether the spyware collects call details|
|S8p8y0||Remove all call details that is kept by the spyware|
|screXmex||Take a screenshots of the device screen|
|Batrxiops||Examine the battery status|
|L4oclOCMAWS||Get the victim’s location|
|GUIFXB||Create a fake Facebook login page|
|IODBSSUEEZ||Transfer a file having stolen Facebook credentials to the C&C server|
|FdelSRRT||Remove the files having the stolen Facebook credentials|
|LUNAPXER||Install the apps according to the package name transferred by the C&C server|
|Gapxplister||Have a full list of all installed applications|
|DOTRall8xxe||Get all the stolen files and kept in the /DCIM/.dat/ directory|
|Acouxacour||Hold a full list of accounts on the victim’s device|
|Fimxmiisx||Initi the camera|
|Scxreexcv4||Click an image|
|micmokmi8x||Record an audio|
|Yufsssp||Have a latitude and longitude|
|GExCaalsss7||Have call logs|
|PHOCAs7||Call phone numbers sent by the C&C server|
|Gxextsxms||Have a list of inbox SMS messages|
|Msppossag||Transfer SMS with a message body that is sent by the C&C server|
|Getconstactx||Have a list of all contacts|
|Rinxgosa||Play a ringtone|
|bithsssp64||Performs all commands that are sent by the C&C server|
|DOWdeletx||Removes all the file implemented by the C&C server|
|Deldatall8||Remove all files stored in the /sdcard/DCIM/.dat/ directory|
Apart from this, the security researchers have asserted that this spyware came with various functions that involve Facebook Phishing, Calling functionality, and stealing SMS, but there are many more functionalities available that allows this spyware to perform further operations.