As a retaliation against China for its troops killing 20 Indian soldiers in a border clash, the Indian government banned the use of TikTok and 58 other Chinese-produced apps. Their basic claim was that these apps threatened India’s “sovereignty and security”. Most Indian cybersecurity experts welcomed the ban as it is clear that TikTok collects a lot of personal information from its users and could very well send all of this back to China. The Indian government worried that high ranking government officials who had the app could even be compromised through the information that they had given to TikTok.
But this move by the government was certainly not welcomed by everyone. This is because it’s impossible to over-exaggerate how popular TikTok was, and still is, in India, but this graphic should give you some idea.
It was not originally clear how the Indian government could enforce this ban. Sure, they can get the app banned from download sites, such as Google Play, but what about the near billion users who already had the app installed?
For a while, those who used TikTok could continue to use it, but, recently, it appears that the government is forcing ISP companies to stop users from using the app. That said, there still appears to be ways around the ban. Some users claim that they have simply used a VPN while others said they avoided the ban by doing a factory reset and using a VPN.
However, not all users know how to get around the ban and are, thus, looking for ways to get their TikTok fix. Many have turned to TikTok alternatives and here is where the problems begin.
Recently, Indian TikTok users have been receiving text messages like the following.
A link is given to a link-shortening tiny.cc site that will usually have some reference to TikTok or TikTokPro in the URL. In the case of the above message, the link was in an http, not https, format so most browsers will give some warning. However, the above message usually comes from a known contact so the receiver, or victim, may trust the page they are led to. These links are also spreading through WhatsApp groups and other social media channels, and it wouldn’t take much for the attackers to get an https address.
If the victim visits the compromised website and downloads the app, they will be asked for certain permissions, among which is to allow access to the victim’s contacts and to send text/SMS messages. The criminals behind this attack are, of course, hoping that people will just grant these permissions without taking much notice. The victim will then be asked to supply their TikTok login credentials, and either click on some advertisement or download some application that the criminals have been paid to advertise. It looks like this initial attack uses this vector to make money via clicks and downloads. As soon as the app is installed, all of the victim’s contacts will receive text messages like the one shown above. After installation, the app will display the TikTok icon to give the user a sense of having installed a legitimate app.
Such an attack could easily be upgraded for the American market. Keep in mind that one-third of America has the TikTok app and probably aren’t really happy about losing it. There really is a TikTok Pro that comes with the real TikTok app. It is an analytical tool that can be used for free. Here’s how to access it.
My point is that this could make the victim think the Pro tool was somehow related to the fake app and, thus, give it some credibility.
In addition, Google Play has a number of apps which use the TikTok Pro name or something similar, such as the one below. Although the malicious fake app cannot, at least for now, be found on the site, the presence of so many similar apps could obscure the issue.
But, no doubt, worried TikTok users have heard that Microsoft may buy the app. Yes, they, or someone, probably will. If the app is banned, TikTok will make no money at all, so it’s better for them to sell it. Besides, Microsoft needs a pre-installed user base to get into the messaging market. But will it be a seamless transition? Some say yes and others say no. My guess is that it will be more or less the same, however, it will not be able to do what TikTok’s Chinese twin, Douyin, does,
Douyin mines videos for data. It uses facial recognition technology to find other videos a person may have appeared in. This makes them easier to target with ads. It also identifies products or places shown in videos and presents ads for people who may be interested in them. I suppose this shows just how much information TikTok has control of. And can this information really be channeled to the Chinese government? Sure. TikTok can’t do anything that the Chinese government disapproves of. But keep this in mind. The Chinese government, through TikTok alone, has already accumulated information on one-third of all Americans. That won’t change when Microsoft takes over. Now, when someone downloads the TikTok app, they will simply give their information to Microsoft instead. Actually, that’s what Microsoft will be paying $50 billion for. Data is money.
For a number of reasons, Americans who use TikTok could be compromised by the TikTok Pro attack or other attacks that pose as TikTok-related apps. Some people may not want an app that is associated with Microsoft. Some may feel the original experience has been compromised. Some may think they are simply getting a deluxe version of TikTok if they install TikTok Pro. The problem is that such attacks could be weaponized to do far more than just present ads and encourage downloads.
TikTok will be banned on September, 15th, unless they find an American buyer. If no buyer is found, the ban would likely follow the same path as the ban in India followed. Slowly, even for those who have already installed the app, the app will become useless. But who knows how long it would have taken before people simply got tired of TikTok anyway. Next year, whether TikTok is banned or not, some other, currently little known app will be the app darling of the moment. In other words, life will go on, with or without TikTok.