User education: It works. That’s the “lesson about lessons” from this week’s TikTok security scare.
The video-clip-sharing app was home to (ahem) “influencers,” promoting malicious apps aimed at children. And it was a child who reported the apps—leading to takedowns by Google and Apple.
The 12-year-old in question recognized the abuse because she’d been educated about the problem. In this week’s Security Blogwatch, we apply meta-lessons to IT.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Nigel Ng tries to criticize Gordon Ramsey.
Teach your children well
What’s the craic? Ionut Ilascu reports—Popular TikTok profiles promote scammy apps:
At least three TikTok profiles … have been promoting multiple fraudulent mobile apps. … The marketing push over TikTok likely played an important part in the scammy Android and iOS apps getting installed more than 2.4 million times. … An Instagram account with at least 5,000 followers was also found to promote one of the apps.
The mobile apps pretended to be games, or music and wallpaper downloaders. Once installed, they would display ads aggressively and charge users between $2 and $10 for features that either don’t exist or don’t work properly, or for weekly subscription fees.
Users should be wary of promoted mobile apps. … Checking the opinion of other users that experienced them first hand is a good [idea].
Another sign of suspicious behavior is when the app asks for more permissions than it needs. … Reading the permissions granted for apps at installation time could save you from mischief later.
And Dan Goodin adds—A tip from a kid helps detect iOS and Android scam apps:
Some of the titles served intrusive ads even when an app wasn’t active. … Other apps charged from $2 to $10 and generated revenue of more than $500,000.
The apps came to light after a girl found a profile on TikTok that was promoting what appeared to be an abusive app and reported it to Be Safe Online, a project in the Czech Republic that educates children about online safety. … A Google spokesman said the company has removed the apps. … Representatives from Apple and TikTok didn’t immediately have a comment.
“This all is bad don’t buy,” an iOS user wrote in one review. “I accidentally bought it. 8 dollars wasted and it doesn’t work.”
Who did the research? Jakub Vávra—Rogue TikTok accounts are promoting adware scam apps:
When a 12-year-old girl in the Czech Republic suspected that something was off with a popular app that was circulating on TikTok, she knew what to do. … The young person who reported the original scam app participated in Avast’s Be Safe Online project, which goes into Czech middle schools and teaches young people about online safety and how to advocate for themselves.
The apps are specifically targeted to young people, in the form of games, wallpaper, and music downloaders. … Some are HiddenAds trojans, which are apps that appear to be legitimate, but actually only exist to serve up advertisements outside of the app. [We] noticed the app developers have more apps, with very low downloads and reviews, but the handful of reviews they have are extremely positive and enthusiastic, which can also be a sign that something is suspicious.
Educate yourself on the signs of scam apps and then share that info with your kids. You might even want to consider instituting a rule that your kids get permission before downloading anything.
Pushing back against bad actors online requires that we all participate. … We can create a safer, more fun internet for everyone.
So Google acted quicker than Apple? Sflocal is incensed:
Apple is not taking the security of its users seriously in action, compared to what its marketing department says. … Last thing Apple needs is damaged trust.
Apple needs to start a very public campaign of cleaning out the App Store of these sketchy apps, and not limit itself to revoking the developer accounts of these apps, but also banning the actual developers themselves from ever being allowed back into developing apps for the App Store. That’s a hard … task, but come on Apple.
Without consequences, they will continue doing it. There is just so much garbage out there.
But what of Apple’s famous curated app store? snowshovel memeifies thuswise:
Apple: We have the most secure system in the world! Our app store is the carefully curated for the best and safest experiences, and checked for any kind of shenanigans from app developers.
Also Apple: Here’s an app that does nothing … except serve ads for $8 to little kids. Thanks for the 30% cut.
Cui bono? Tim, presumably. Rayz2016 zeroes in on the problem:
There is still a serious problem with Apple customers being ripped off by apps like this. Apple needs to tighten up its reviews on any app that is offering in-app purchases. These scammers know that Apple will not actually make a purchase during the reviews, which is why they’ve hung around so long.
But what to do? Do nothing or do something?—TheLatter prefers the latter: [You’re fired—Ed.]
This is the kind of behaviour that should render an app store developer account revoked.
Or we could blame TikTok. I hear that’s a popular pastime. Ingrid Lunden reports out of the box—TikTok says it removed 104M videos in H1 2020:
As the future of ByteDance’s TikTok ownership continues to get hammered out between tech and retail leviathans, investors and government officials, the video app today published its latest transparency report. … TikTok also announced a new initiative — potentially in partnership with other social apps — against harmful content.
It is grappling with a lot of illegal and harmful content published and shared on its platform, and as it continues to grow in popularity … that problem will also continue to grow … regardless of how its ownership unfolds. … The volume of videos that are getting taken down have more than doubled over the previous six months.
Wait, what’s that about ownership? In case you’ve been living under a rock, Paul Haskell-Dowland and Nathalie Collins bring you up to speed—TikTok deal explained:
Plot twists in the TikTok saga continue to emerge daily, with a proposed deal to secure the future of the video sharing platform in the United States now in doubt. … Tech firm Oracle and retailer Walmart proposed a joint venture called TikTok Global, which would see customer data move to US-controlled infrastructure.
Questions remain: what difference will this deal (if approved) make to the TikTok service; how will it affect the security concerns for governments (and users) in the US and Australia; and is this just political posturing?
The potential for the Chinese Communist Party to demand access to user data through its National Intelligence Law will still be of concern, as the law applies to any Chinese-owned company (and being the majority stakeholder may be enough to enable such powers to be applied). … Of course the same is true for any US-owned organisation, thanks to the … CLOUD Act.
[But] most users will not notice any difference. TikTok users will still be able to make viral videos and confuse non-TikTok users.
Meanwhile, 48 champein is less than satisfied with a newly downloaded scam app:
I went and bought this app. [It] said I am going to live one more day.
It’s three days later and I haven’t died. … One star.
The moral of the story?
Don’t just tell your kids how to be safe online. Tell your users, too.
Warning: One or two F-bombs (and not just from Gordon’s potty mouth).
Hat tip: Andrea James
You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or firstname.lastname@example.org. Ask your doctor before reading. Your mileage may vary. E&OE. 30.