Security News

Fake TikTok Beta steals TikTok, Facebook and Instagram credentials

By

The popular social media app TikTok is getting banned in a number of countries. Fraudsters are using this opportunity to spread fake TikTok apps in an effort to infect and scam more victims. SonicWall Capture Labs threats research team identified one such fake TikTok app that tries to steal victim’s credentials of TikTok account by showing a fake login page.

Infection Cycle

  • Md5: 7bece16d84f38e36b531e4b22f298205
  • Package Name: insta.tiktok.in
  • Application Name: TikTok Beta

Upon installation and execution, we see a custom TikTok login page:

 

The fonts, colors and overall appearance of the login screen raises suspicion of a phishing/fake page.

On entering the credentials a 404 Page Not Found error is shown which further raises suspicion as popular apps handle such error conditions in a more professional and elegant way.

 

However if a victim as reached this far, his account is already compromised as the entered credentials are sent to the attacker’s server account-[redacted].000webhostapp.com as shown below:

 

Intelligence gathering

After further investigation of the domain we found the following links under Tik Tok Beta directory:

  • Tik Tok Beta.html – Login screen
  • Database420.txt – Stolen victim credentials as shown below:

 

 

We found similar directories for Facebook and Instagram on the same domain as well with a similar page – Database420.txt – for stolen credentials, indicating that authors behind this malware have multiple popular target apps in mind:

 

Phishing pages are a common medium in stealing sensitive user information. This app uses the popularity of TikTok to steal victim’s credentials. Someone with a keen sense of observation will easily spot the phishing page but as evident from one of the pages obtained on the server, few people were duped into entering their legitimate credentials.

One of the best way to safeguard against such threats is to install apps only from the Google Play Store and follow proper security practices.

SonicWall Capture Labs provides protection against this threat with the following signature:

  • Stealer.CR (Trojan)

 

Appendix

Fake login pages for TikTok, Facebook and Instagram:

 

 

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
New banker Trojan steals information via compromised webservers (Aug 10, 2011)
Caddywiper hits Ukrainian networks. Wipes data and renders machines unbootable
Unravelled VBE script drops Banking Trojan (Aug 28th, 2015)
Microsoft Security Bulletins Coverage (Jun 15, 2011)
Novell eDirectory NCP Stack Buffer Overflow (Feb 8, 2013)
Vacron Network Video Recorder Remote Command Execution
Hidden-Tear Kit gives birth to Karmen Ransomware
File-less execution and use of steganography by IcedId Bot