Insights and Research

TikTok Spyware

A detailed analysis of spyware masquerading as TikTok

TikTok Spyware

A recent threat to ban TikTok in the United States has taken the internet by storm and received mixed reactions from social media and internet users. U.S. President Donald Trump has ordered ByteDance, the parent company of TikTok, to sell its U.S. TikTok assets and also issued executive orders that would ban the social media apps TikTok and WeChat from operating in the U.S. if the sale doesn’t happen in the next few weeks. On the other side, ByteDance has filed a lawsuit suing the Trump administration.

When popular applications come under fire and are featured prominently in the news, hackers get excited as these newsworthy apps can become their latest target. And TikTok is no exception.

Generally, after an application gets banned from an official app store, such as Google Play, users try to find alternative ways to download the app. In doing so, users can become victims to malicious apps portraying themselves as the original app. Recently there was a huge wave of SMS messages, as well as Whatsapp messages, making the rounds asking users to download the latest version of TikTok at hxxp://tiny[.]cc/TiktokPro. In reality, this downloaded app is a fake app that asks for credentials and Android permissions (including camera and phone permissions), resulting in the user being bombarded with advertisements. 


Recently, we have come across another variant of this app portraying itself as TikTok Pro, but this is a full-fledged spyware with premium features to spy on victim with ease. (Please note this is a different app and not the same as the one being spread by hxxp://tiny[.]cc/TiktokPro.)

Technical Analysis

App Name : TikTok Pro
Hash : 9fed52ee7312e217bd10d6a156c8b988
Package Name : com.example.dat.a8andoserverx

Upon installation, the spyware portrays itself as TikTok using the name TikTok Pro. As soon as a user tries to open the app, it launches a fake notification and soon the notification as well as the app icon disappears. This fake notification tactic is used to redirect the user's attention, meanwhile the app hides itself, making the user believe the app to be faulty. 

This functionality can be seen in Figure 1.


  App Icon
Figure 1: App icon and fake notification. 


Behind the scenes, there are number of process occurring simultaneously. First, an activity named MainActivity fires up, taking care of hiding the icon and showing the fake notification. It also starts an Android service named MainService. 

The spyware also appears to have an additional payload stored under the /res/raw/ directory. This is a common technique used by malware developers to bundle the main payload inside the Android package to avoid easy detection. As seen in Figure 2, the app tries to open the payload from the /res/raw/ directory and generate an additional Android Package Kit (APK) named .app.apk :


Decoy Code
Figure 2 : The decoy code for the fake TikTok.

Upon analysis, we discovered that this is a decoy functionality and no new payload is generated. The conditions to build an additional payload are never met. Going one step further, we rebuilt the malware to execute the apparent functionality of generating a payload, but discovered that the APK stored in the /res/raw/ directory is empty. The placement of the decoy functionality is likely designed to confuse the malware researchers. It is also possible that this functionality is under development, making this placeholder code incomplete.

Coming back to the execution flow, once the spyware hides itself, it starts an Android service named MainService. Android services are components that can be made to execute independently in the background without the victim's knowledge. MainService is the brain of this spyware and controls almost everything—from stealing the victim's data to deleting it. All of its capabilities are discussed later in this blog.


Hide Icon
Figure 3 : Code showing the hiding icon and starting service.


As MainService is the main controller, the developer has taken the appropriate actions to keep it functional and running at all times. 

The malware developer uses various tactics to do so, and one of them is using Android's broadcast receivers. Broadcast receivers are components that allow you to register for various Android events. In this case, it registers three broadcast receivers:

  • MyReceiver - Triggers when the device is booted.
  • Intercept Call - Triggers on incoming and outgoing calls.
  • AlarmReceiver - Triggers every three minutes.

MyReceiver and AlarmReceiver start the MainService whenever appropriate events occur. This tactic is very common among malware developers to ensure the malware is not killed by the Android OS or by any other means. 

Figure 4 shows MyReceiver  in action where it eventually calls the MainService service.


Broadcast Receiver
Figure 4 : MyReceiver broadcast receiver.


The InterceptCall receiver is triggered whenever there is an incoming or outgoing call. It sets particular parameters in relation to call details and a further service named calls takes the control as seen in Figure 5.

Call Service
Figure 5 : Code for the calls service


As seen above, the calls service stores incoming call details in .mp3 format in the /sdcard/DCIM/.dat/ directory with file name appended with "In_'' for incoming calls and "Out_'' for outgoing calls. How these recorded calls are sent to the command and control server (CnC) is taken care of by MainService, which is discussed next.

MainService is the central controller of this spyware. It controls each and every functionality based on the commands sent by the command and control (C&C) server. 

As soon as this service is started, it creates two processes that take care of connection and disconnection to the C&C server. This functionality can be seen in Figure 6.

Figure 6 : The timer task.


MainService has the following capabilities: 

  • Steal SMS messages
  • Send SMS messages
  • Steal the victim's location
  • Capture photos
  • Execute commands
  • Capture screenshots
  • Call phone numbers
  • Initiate other apps
  • Steal Facebook credentials, etc

All of the above functionalities take place on the basis of commands sent by the attacker.  Stolen data is stored in external storage under the /DCIM/ directory with a hidden sub-directory named ".dat"

Below is the list of all the commands catered by the C&C server.

Command Action
Unistxcr Restart the app
dowsizetr Send the file stored in the /sdcard/DCIM/.dat/ directory to the C&C server
Caspylistx Get a list of all hidden files in the /DCIM/.dat/ directory
spxcheck Check whether call details are collected by the spyware
S8p8y0 Delete call details stored by the spyware
screXmex Take screenshots of the device screen
Batrxiops Check battery status
L4oclOCMAWS Fetch the victim's location
GUIFXB Launch the fake Facebook login page
IODBSSUEEZ Send a file containing stolen Facebook credentials to the C&C server
FdelSRRT Delete files containing stolen Facebook credentials
chkstzeaw Launch Facebook
LUNAPXER Launch apps according to the package name sent by the C&C server
Gapxplister Get a list of all installed applications
DOTRall8xxe Zip all the stolen files and store in the /DCIM/.dat/ directory
Acouxacour Get a list of accounts on the victim's device
Fimxmiisx Open the camera
Scxreexcv4 Capture an image
micmokmi8x Capture audio
Yufsssp Get latitude and longitude
GExCaalsss7 Get call logs
PHOCAs7 Call phone numbers sent by the C&C server
Gxextsxms Get a list of inbox SMS messages
Msppossag Send SMS with message body sent by the C&C server
Getconstactx Get a list of all contacts
Rinxgosa Play a ringtone
bithsssp64 Execute commands sent by the C&C server
DOWdeletx Deletes the file specified by the C&C server
Deldatall8 Delete all files stored in the /sdcard/DCIM/.dat/ directory

We don't have the space to cover all of the commands, but let's take a look at some of the major ones.

Facebook phishing

One of the interesting features of this spyware is the ability to steal Facebook credentials using a fake login page, similar to phishing. 

Upon receiving the command GUIFXB, the spyware launches a fake Facebook login page. As soon as the victim tries to log in, it stores the victim's credentials in /storage/0/DCIM/.fdat

Facebook Login
Figure 7 : Fake Facebook login

The second command is IODBSSUEEZ, which further sends stolen credentials to the C&C server, as seen in Figure 8.


Stolen Data
Figure 8: Sending data to the attacker.

This functionality can be easily further extended to steal other information, such as bank credentials, although we did not see any banks being targeted in this attack.


Calling functionality

Command PHOCAs7 initiates calling functionality. The number to call is received along with the command, as seen in Figure 9.

Call Command
Figure 9 : The calling functionality.
The phone number is fetched from a response from the C&C server and is stored in str3 variable, which further is utilized using the tel: function. 

Stealing SMS

The Gxextsxms command is responsible for fetching all the SMS messages from the victim's device and sending it over to the C&C server.

Stealing SMS
Figure 10: Stealing SMS messages.
Similarly, there are many crucial commands that further allow this spyware to perform additional functionality, such as executing commands sent by the C&C, clicking photos, capturing screenshots, stealing location information, and more.

Further analysis 

Upon further research, we found this spyware to be developed by a framework similar to Spynote and Spymax, meaning this could be an updated version of these Trojan builders, which allow anyone, even with limited knowledge, to develop full-fledged spyware. 
Many of the functionalities seen in this spyware are similar to Spynote and Spymax based on the samples we analyzed with some modifications. This spyware sample communicates over dynamic DNS. By doing so, attackers can easily set up the Trojan to communicate back to them without any need for high-end servers. Other common functionalities include executing commands received from the attacker, taking screenshots of the victim's device, fetching locations, stealing SMS messages and most common features that every spyware may poses.
Stealing Facebook credentials using fake Facebook activity is something we didn't observe in Spynote/Spymax versions but was seen in this spyware. 
This framework allows anyone to develop a malicious app with the desired icon and communication address. Some of the icons used can be seen below. We found 280 such apps in the past three months. A complete list of hashes can be found here.
Figure 11: Icons used to pose as famous apps.


All of these apps are developed by the same framework and hence have the same package name and certificate information as seen in Figure 12.
Figure 12 : Package name and certificate information.



Due to the ubiquitous nature of mobile devices and the widespread use of Android, it is very easy for attackers to victimize Android users. In such situations, mobile users should always take the utmost precautions while downloading any applications from the internet. It is very easy to trick victims to fall for such attacks.


Users looking forward to using the TikTok app amidst the ban might look for alternative methods to download the app. In doing so, users can mistakenly install malicious apps, such as the spyware mentioned in this blog.
The precautions you take online have been covered extensively in almost all of our blogs; even so, we believe this information bears repeating. Please follow these basic precautions during the current crisis—and at all times: 
  • Install apps only from official stores, such as Google Play.
  • Never click on unknown links received through ads, SMS messages, emails, or the like.
  • Always keep the "Unknown Sources" option disabled in the Android device. This disallows apps to be installed on your device from unknown sources. 

We would also like to mention that if you come across an app hiding it's icon, always try to search for the app in your device settings (by going to ​​​​​​Settings -> Apps ->  Search for icon that was hidden). In the case of this spyware, search for app named TikTok Pro.



Action Tag ID
App auto-start at device boot T1402
Input prompt T1411
Capture SMS messages T1412
Application discovery T1418
Capture audio T1429
Location tracking T1430
Access contact list T1432
Access call log T1433
Commonly used port T1436
Standard application layer protocol T1437
Masquerage as legitimate application T1444
Suppress application icon T1508
Capture camera T1512
Screen capture T1513
Foreground persistence T1541

Get the latest Zscaler blog updates in your inbox

Subscription confirmed. More of the latest from Zscaler, coming your way soon!

By submitting the form, you are agreeing to our privacy policy.