em360tech image

A group of fraudsters are reportedly exploiting a TikTok trend called "Invisible Challenge” to install malware on the devices of thousands of users around the world and steal their personal information.

According to researchers at Checkmarx, the threat actors post TikTok videos with links to fake software called “Unfiltered” that claims to be able to remove TikTok filters on videos shot while the actor is undressed. 

Contained within the project’s files is a WASP stealer malware that installs malicious python packages onto the victim's device, gaining access to users’ emails, passwords, and personal information saved on their device.  

The now-deleted TikTok phishing videos have amassed over a million views on the social platform, while 30,000 users have joined a Discord server linking to the malicious malware. 

The GitHub repo hosting the malicious software also achieved a trending status on GitHub as hackers reportedly used bots and fake accounts to rapidly rate the malicious software highly on the site. 

The news comes just two weeks after the FBI warned that TikTok could pose a national security threats to the US for harbouring several concerns regarding the management of data. 

TikTok’s data security under scrutiny 

This latest TikTok phishing campaign comes less than two weeks after the FBI publicly raised its concerns for the safety of Data on the TikTok platform, flagging the risks of foreign entities harnessing the video-sharing app to influence users and control their devices.

The owner of the TikTok platform, ByteDance, has been in talks for months with the the U.S. government's Committee on Foreign Investment in the United States (CFIUS) to reach a national security agreement to protect the data of TikTok’s growing 100 million user base. 

Tiktok Dance EM360
Women creating dancing video for TikTok. 

TikTok executive Vanessa Pappas told U.S. Congress in September that TikTok had made "progress toward a final agreement with the U.S. government to further safeguard U.S user data and fully address U.S. national security interests."

But cybersecurity experts are concerned that the platform is unable to fully protect the data of its users, leaving many of them at risk to cybersecurity risks. 

“Most attacks on TikTok involve social engineering, not breaking the app’s security. Attackers use scams and phishing to trick users out of their money and passwords,” says Paul Bischoff, Editor of Comparitech.

“Any security vulnerability in TikTok would be patched quickly, but phishing and scams aren’t going away,” Bichofff added, highlighting the danger of phishing attacks.

The recent Malware attack demonstrates the worrying trend of cyber attackers starting to focus their attention on the open-source tracking system, and this is set to only accelerate in 2023, according to Checkmarx.

Excessive data harvesting 

Government officials and cybersecurity experts have been concerned that TikTok’s data-driven algorithm may put the safety of millions of users’ data at risk. 

New Forbes reports suggest that internal risk assessments conducted at TikTok’s parent company ByteDance show systematic issues with fraud and inappropriate data management. 

“Unless ByteDance makes substantial, sustained and rapid investments in its anti-fraud programs, it will likely be too late to prevent immense future fraud-related losses and liabilities – potentially including multi-billion dollar fines,” read one part of the executive summary reviewed by Forbes. 

TikTok joins a long list of social media cooperations found to be breaching data security violations. Just two days ago, Facebook owner Meta received a $275m GDPR penalty for failing to comply with EU laws related to data privacy and protection. 

But unlike other social media platforms, TikTok’s algorithm organically shares phishing scams like the “Unfiltered” Malware scam, potentially exposing its huge user-base to phishing scams and data robbery. 

TikTok hit 1 billion monthly active users at the end of last year, with the majority of its users being under the age of 18. 

To read more about data, visit our dedicated Data Management Page