Fake TikTok Beta steals TikTok, Facebook and Instagram credentials

August 14, 2020

The popular social media app TikTok is getting banned in a number of countries. Fraudsters are using this opportunity to spread fake TikTok apps in an effort to infect and scam more victims. SonicWall Capture Labs threats research team identified one such fake TikTok app that tries to steal victim’s credentials of TikTok account by showing a fake login page.

Infection Cycle

  • Md5: 7bece16d84f38e36b531e4b22f298205
  • Package Name: insta.tiktok.in
  • Application Name: TikTok Beta

Upon installation and execution, we see a custom TikTok login page:

 

The fonts, colors and overall appearance of the login screen raises suspicion of a phishing/fake page.

On entering the credentials a 404 Page Not Found error is shown which further raises suspicion as popular apps handle such error conditions in a more professional and elegant way.

 

However if a victim as reached this far, his account is already compromised as the entered credentials are sent to the attacker’s server account-[redacted].000webhostapp.com as shown below:

 

Intelligence gathering

After further investigation of the domain we found the following links under Tik Tok Beta directory:

  • Tik Tok Beta.html – Login screen
  • Database420.txt – Stolen victim credentials as shown below:

 

 

We found similar directories for Facebook and Instagram on the same domain as well with a similar page – Database420.txt – for stolen credentials, indicating that authors behind this malware have multiple popular target apps in mind:

 

Phishing pages are a common medium in stealing sensitive user information. This app uses the popularity of TikTok to steal victim’s credentials. Someone with a keen sense of observation will easily spot the phishing page but as evident from one of the pages obtained on the server, few people were duped into entering their legitimate credentials.

One of the best way to safeguard against such threats is to install apps only from the Google Play Store and follow proper security practices.

SonicWall Capture Labs provides protection against this threat with the following signature:

  • Stealer.CR (Trojan)

 

Appendix

Fake login pages for TikTok, Facebook and Instagram: