A Tip From a Kid Helped Uncover a Slew of Scam Apps - WIRED
|WIRED 24 Sep 2020 at 09:52|
This story originally appeared on Ars Technica , a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED s parent company, Condé Nast.
Posing as apps for entertainment, wallpaper images, or music downloads, some of the titles served intrusive ads even when an app wasn’t active. To prevent users from uninstalling them, the apps hid their icon, making it hard to identify where the ads were coming from. Other apps charged from $2 to $10 and generated revenue of more than $500,000, according to estimates from SensorTower, a smartphone-app intelligence service.
The apps came to light after a girl found a profile on TikTok that was promoting what appeared to be an abusive app and reported it to Be Safe Online, a project in the Czech Republic that educates children about online safety. Acting on the tip, researchers from security firm Avast found 11 apps, for devices running both iOS and Android, that were engaged in similar scams.
Many of the apps were promoted by one of three TikTok users, one of whom had more than 300,000 followers. A user on Instagram was also promoting the apps.
“We thank the young girl who reported the TikTok profile to us,” Avast threat analyst Jakub Vávra, said in a statement . “Her awareness and responsible action is the kind of commitment we should all show to make the cyberworld a safer place.”
The apps, Avast said, made misleading claims concerning app functionalities, served ads outside of the app, or hid the original app icon shortly after the app was installed—all in violation of the app markets’ terms of service. The links promoted on TikTok and Instagram led to either the iOS or Android versions of the apps depending on the device that accessed a given link.
“It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them,” Vávra added.
Avast said it privately notified Apple and Google of the apps’ behaviors. Avast also alerted both TikTok and Instagram to the shill accounts doing the promotions.