- The cybersecurity firm Avast has identified a new batch of sketchy iOS and Android apps that the firm says has been downloaded some 2.4 million times, in addition to garnering about $500,000 in revenue for their creators.
- The apps were promoted via accounts across TikTok and Instagram, which encouraged users to download them.
- These iOS and Android apps seem mostly to have been created to serve up ads.
Recently, a 12-year-old girl who lives in the Czech Republic thought something seemed a little fishy about a popular app she noticed was being talked about and circulating among TikTok users — so much so that she decided to tell someone about it. She did so by reporting what she found to the cybersecurity company Avast, which took her initial report, did some sleuthing, and eventually ID’d seven adware scam apps — including iOS as well as Android apps — that were being downloaded in droves across both the Google Play Store and the Apple App Store.
From that young girl’s initial report, Avast was able to eventually identify and help interrupt the circulation of a batch of sketchy apps that, unfortunately, have been downloaded almost 2.4 million times and are believed to have netted their creators around $500,000, according to a report from Avast.
It was no accident that the young girl discovered these shady apps. She actually was a participant in Avast’s Be Safe Online project, which, as the company notes, goes into Czech middle schools and teaches young people about online safety. “Using the skills she learned in the program, the young lady was able to identify and report the scam directly to Avast,” the company’s report notes.
It continues thus: The apps that were discovered were “specifically targeted to young people, in the form of games, wallpaper, and music downloaders. The scams come in the form of either charging $2 to $10 for a service that doesn’t meet that price point — including causing the phone to vibrate, a wallpaper, or access to music — or in the form of aggressive ads.”
Some of the apps were essentially HiddenAds trojans — apps that seem to be legit but really only exist to serve ads outside of the app itself. ZDNet notes that the apps removed after this investigation include these apps pulled from the Google Play Store: ThemeZone – Shawky App Free – Shock My Friends, Ultimate Music Downloader – Free Download Music. Apps that were removed from the Apple App store in the UK include Shock My Friends – Satuna, 666 Time, ThemeZone – Live Wallpapers and Shock my Friend Tap Roulette.
Some of the apps had obvious giveaways regarding their true nature, such as the ThemeZone – Shawky App on Android devices. It apparently requested access to a device’s external storage, which arguably should not have been necessary.
“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed,” said Jakub Vávra, a threat analyst at Avast. “It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them.”