ADF STAFF
With 1 billion users, TikTok has become one of the fastest growing apps in the world. It holds nearly 32% of the social media market in Nigeria and has doubled its users in South Africa to about 10 million.
But cybersecurity experts are warning that the Chinese-designed app is also used for data theft from users.
Analysts say the app collects more data than is necessary including contact lists, calendars, and scanning hard drives. It also tracks the user’s location every hour, potentially posing security risks if it is added to smartphones held by military or government officials.
“When the app is in use, it has significantly more permissions than it really needs,” Robert Potter, co-CEO of the cyber security group Internet 2.0 and an editor of a report on TikTok, told The Guardian. “It grants those permissions by default.”
If users decide to block TikTok from certain aspects of their phones, it persists in seeking access.
“If you tell Facebook you don’t want to share something, it won’t ask you again,” Potter said. “TikTok is much more aggressive.”
Potter’s report labeled the app’s data collection practices “overly intrusive” and questioned their purpose. Internet 2.0’s own research shows the Chinese government can access the data TikTok collects.
“The application can and will run successfully without any of this data being gathered,” it concluded. “This leads us to believe that the only reason this information has been gathered is for data harvesting.”
TikTok’s weak moderation leaves it open to malicious actors and scam artists, according to cybersecurity researcher Satnam Narang, writing for the website Tenable.
The Invisible Body Challenge — one of many that appear on TikTok — is an example of the risk TikTok users face.
Users can erase their physical features from a video, rendering them “invisible.” But, there’s a hitch: The game works best when the players are naked. That has led online scammers to offer another app that they promote as a way to “unfilter” the invisible body game and see people naked.
Instead of seeing Invisible Body players without their clothes, users of the “unfilter” app find their phones have been raided by the WASP stealer malware that robs them of passwords, banking information, and personal details.
As of mid-January, the original Invisible Body software had nearly 43 million views. Videos promoting the “unfilter” malware had a million views within a few days of launching, according to internet security company Checkmarx, which raised the alarm.
The Nigerian Communication Commission’s Computer Security Incident Response Team recently issued a warning to the country’s 163 million smartphone users about the threat posed by the “unfilter” app. With Africa’s largest number of people online, Nigeria ranks among the continent’s top countries where citizens are both producing and being victimized by internet scams. The source of the unfilter malware is unclear.
“This malware may be capable of covertly collecting screenshots, video recordings, or the ability to activate any connected camera or microphone,” the agency said in its public warning.
The agency also advised smartphone owners to protect themselves by:
- Not clicking on suspicious links.
- Keeping anti-malware software on their devices.
- Checking their phones for unusual apps and removing any they don’t remember installing.
- Using a password manager to protect their passwords from malware, such as unfilter, that can track keystrokes.
The Invisible Body-related warning is the latest criticism regarding TikTok, which has more than 1 billion users worldwide.
The creators of the “unfilter” app have played a cat-and-mouse game with cybersecurity experts. Each time their malware is removed from a server, they replace it with a different version or hide it somewhere in the app documents.
“By offering a potential tool that could ‘unfilter’ the [Invisible Body] effect, threat actors prey on people’s curiosity, fear, and even their malicious side to download it,” Jamie Akhtar, CEO of the cybersecurity company CyberSmart, said in a statement. “Of course, by then they’ll learn the attackers’ claims are false and malware is installed.”