{
	"id": "1294bc4b-3d9a-4539-bab7-b7108ad645ec",
	"created_at": "2026-04-06T02:10:34.571933Z",
	"updated_at": "2026-04-10T13:12:37.692952Z",
	"deleted_at": null,
	"sha1_hash": "b744b062f502ada40ebaf50e1c72f9f3b5fb6ad4",
	"title": "Detailed Analysis of TikTok Spyware | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1374826,
	"plain_text": "Detailed Analysis of TikTok Spyware | Zscaler Blog\r\nBy Shivang Desai\r\nPublished: 2020-09-08 · Archived: 2026-04-06 02:02:37 UTC\r\nA recent threat to ban TikTok in the United States has taken the internet by storm and received mixed reactions\r\nfrom social media and internet users. U.S. President Donald Trump has ordered ByteDance, the parent company\r\nof TikTok, to sell its U.S. TikTok assets and also issued executive orders that would ban the social media apps\r\nTikTok and WeChat from operating in the U.S. if the sale doesn’t happen in the next few weeks. On the other side,\r\nByteDance has filed a lawsuit suing the Trump administration.\r\nWhen popular applications come under fire and are featured prominently in the news, hackers get excited as these\r\nnewsworthy apps can become their latest target. And TikTok is no exception.\r\nGenerally, after an application gets banned from an official app store, such as Google Play, users try to find\r\nalternative ways to download the app. In doing so, users can become victims to malicious apps portraying\r\nthemselves as the original app. Recently there was a huge wave of SMS messages, as well as Whatsapp messages,\r\nmaking the rounds asking users to download the latest version of TikTok at hxxp://tiny[.]cc/TiktokPro. In reality,\r\nthis downloaded app is a fake app that asks for credentials and Android permissions (including camera and phone\r\npermissions), resulting in the user being bombarded with advertisements. \r\nRecently, we have come across another variant of this app portraying itself as TikTok Pro, but this is a full-fledged\r\nspyware with premium features to spy on victim with ease. (Please note this is a different app and not the same as\r\nthe one being spread by hxxp://tiny[.]cc/TiktokPro.)\r\nTechnical Analysis\r\nApp Name : TikTok Pro\r\nHash : 9fed52ee7312e217bd10d6a156c8b988\r\nPackage Name : com.example.dat.a8andoserverx\r\n \r\nUpon installation, the spyware portrays itself as TikTok using the name TikTok Pro. As soon as a user tries to open\r\nthe app, it launches a fake notification and soon the notification as well as the app icon disappears. This fake\r\nnotification tactic is used to redirect the user's attention, meanwhile the app hides itself, making the user believe\r\nthe app to be faulty. \r\nThis functionality can be seen in Figure 1.\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 1 of 11\n\nFigure 1: App icon and fake notification. \r\nBehind the scenes, there are number of process occurring simultaneously. First, an activity named MainActivity\r\nfires up, taking care of hiding the icon and showing the fake notification. It also starts an Android service named\r\nMainService. \r\nThe spyware also appears to have an additional payload stored under the /res/raw/ directory. This is a common\r\ntechnique used by malware developers to bundle the main payload inside the Android package to avoid easy\r\ndetection. As seen in Figure 2, the app tries to open the payload from the /res/raw/ directory and generate an\r\nadditional Android Package Kit (APK) named .app.apk :\r\nFigure 2 : The decoy code for the fake TikTok.\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 2 of 11\n\nUpon analysis, we discovered that this is a decoy functionality and no new payload is generated. The conditions to\r\nbuild an additional payload are never met. Going one step further, we rebuilt the malware to execute the apparent\r\nfunctionality of generating a payload, but discovered that the APK stored in the /res/raw/ directory is empty. The\r\nplacement of the decoy functionality is likely designed to confuse the malware researchers. It is also possible that\r\nthis functionality is under development, making this placeholder code incomplete.\r\nComing back to the execution flow, once the spyware hides itself, it starts an Android service named MainService.\r\nAndroid services are components that can be made to execute independently in the background without the\r\nvictim's knowledge. MainService is the brain of this spyware and controls almost everything—from stealing the\r\nvictim's data to deleting it. All of its capabilities are discussed later in this blog.\r\nFigure 3 : Code showing the hiding icon and starting service.\r\nAs MainService is the main controller, the developer has taken the appropriate actions to keep it functional and\r\nrunning at all times. \r\nThe malware developer uses various tactics to do so, and one of them is using Android's broadcast receivers.\r\nBroadcast receivers are components that allow you to register for various Android events. In this case, it registers\r\nthree broadcast receivers:\r\nMyReceiver - Triggers when the device is booted.\r\nIntercept Call - Triggers on incoming and outgoing calls.\r\nAlarmReceiver - Triggers every three minutes.\r\nMyReceiver and AlarmReceiver start the MainService whenever appropriate events occur. This tactic is very\r\ncommon among malware developers to ensure the malware is not killed by the Android OS or by any other\r\nmeans. \r\nFigure 4 shows MyReceiver  in action where it eventually calls the MainService service.\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 3 of 11\n\nFigure 4 : MyReceiver broadcast receiver.\r\nThe InterceptCall receiver is triggered whenever there is an incoming or outgoing call. It sets particular\r\nparameters in relation to call details and a further service named calls takes the control as seen in Figure 5.\r\n \r\nFigure 5 : Code for the calls service\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 4 of 11\n\nAs seen above, the calls service stores incoming call details in .mp3 format in the /sdcard/DCIM/.dat/ directory\r\nwith file name appended with \"In_'' for incoming calls and \"Out_'' for outgoing calls. How these recorded calls\r\nare sent to the command and control server (CnC) is taken care of by MainService, which is discussed next.\r\nMainService is the central controller of this spyware. It controls each and every functionality based on the\r\ncommands sent by the command and control (C\u0026C) server. \r\nAs soon as this service is started, it creates two processes that take care of connection and disconnection to the\r\nC\u0026C server. This functionality can be seen in Figure 6.\r\nFigure 6 : The timer task.\r\nMainService has the following capabilities: \r\nSteal SMS messages\r\nSend SMS messages\r\nSteal the victim's location\r\nCapture photos\r\nExecute commands\r\nCapture screenshots\r\nCall phone numbers\r\nInitiate other apps\r\nSteal Facebook credentials, etc\r\nAll of the above functionalities take place on the basis of commands sent by the attacker.  Stolen data is stored in\r\nexternal storage under the /DCIM/ directory with a hidden sub-directory named \".dat\". \r\nBelow is the list of all the commands catered by the C\u0026C server.\r\n \r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 5 of 11\n\nCommand Action\r\nUnistxcr Restart the app\r\ndowsizetr Send the file stored in the /sdcard/DCIM/.dat/ directory to the C\u0026C server\r\nCaspylistx Get a list of all hidden files in the /DCIM/.dat/ directory\r\nspxcheck Check whether call details are collected by the spyware\r\nS8p8y0 Delete call details stored by the spyware\r\nscreXmex Take screenshots of the device screen\r\nBatrxiops Check battery status\r\nL4oclOCMAWS Fetch the victim's location\r\nGUIFXB Launch the fake Facebook login page\r\nIODBSSUEEZ Send a file containing stolen Facebook credentials to the C\u0026C server\r\nFdelSRRT Delete files containing stolen Facebook credentials\r\nchkstzeaw Launch Facebook\r\nLUNAPXER Launch apps according to the package name sent by the C\u0026C server\r\nGapxplister Get a list of all installed applications\r\nDOTRall8xxe Zip all the stolen files and store in the /DCIM/.dat/ directory\r\nAcouxacour Get a list of accounts on the victim's device\r\nFimxmiisx Open the camera\r\nScxreexcv4 Capture an image\r\nmicmokmi8x Capture audio\r\nYufsssp Get latitude and longitude\r\nGExCaalsss7 Get call logs\r\nPHOCAs7 Call phone numbers sent by the C\u0026C server\r\nGxextsxms Get a list of inbox SMS messages\r\nMsppossag Send SMS with message body sent by the C\u0026C server\r\nGetconstactx Get a list of all contacts\r\nRinxgosa Play a ringtone\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 6 of 11\n\nbithsssp64 Execute commands sent by the C\u0026C server\r\nDOWdeletx Deletes the file specified by the C\u0026C server\r\nDeldatall8 Delete all files stored in the /sdcard/DCIM/.dat/ directory\r\nWe don't have the space to cover all of the commands, but let's take a look at some of the major ones.\r\n \r\nFacebook phishing\r\nOne of the interesting features of this spyware is the ability to steal Facebook credentials using a fake login page,\r\nsimilar to phishing. \r\nUpon receiving the command GUIFXB, the spyware launches a fake Facebook login page. As soon as the victim\r\ntries to log in, it stores the victim's credentials in /storage/0/DCIM/.fdat\r\n \r\nFigure 7 : Fake Facebook login\r\nThe second command is IODBSSUEEZ, which further sends stolen credentials to the C\u0026C server, as seen in\r\nFigure 8.\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 7 of 11\n\nFigure 8: Sending data to the attacker.\r\nThis functionality can be easily further extended to steal other information, such as bank credentials, although we\r\ndid not see any banks being targeted in this attack.\r\nCalling functionality\r\nCommand PHOCAs7 initiates calling functionality. The number to call is received along with the command, as\r\nseen in Figure 9.\r\nFigure 9 : The calling functionality.\r\nThe phone number is fetched from a response from the C\u0026C server and is stored in str3 variable, which further is\r\nutilized using the tel: function. \r\nStealing SMS\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 8 of 11\n\nThe Gxextsxms command is responsible for fetching all the SMS messages from the victim's device and sending it\r\nover to the C\u0026C server.\r\nFigure 10: Stealing SMS messages.\r\nSimilarly, there are many crucial commands that further allow this spyware to perform additional functionality,\r\nsuch as executing commands sent by the C\u0026C, clicking photos, capturing screenshots, stealing location\r\ninformation, and more.\r\nFurther analysis \r\nUpon further research, we found this spyware to be developed by a framework similar to Spynote and Spymax,\r\nmeaning this could be an updated version of these Trojan builders, which allow anyone, even with limited\r\nknowledge, to develop full-fledged spyware. \r\nMany of the functionalities seen in this spyware are similar to Spynote and Spymax based on the samples we\r\nanalyzed with some modifications. This spyware sample communicates over dynamic DNS. By doing so,\r\nattackers can easily set up the Trojan to communicate back to them without any need for high-end servers. Other\r\ncommon functionalities include executing commands received from the attacker, taking screenshots of the victim's\r\ndevice, fetching locations, stealing SMS messages and most common features that every spyware may poses.\r\n \r\nStealing Facebook credentials using fake Facebook activity is something we didn't observe in Spynote/Spymax\r\nversions but was seen in this spyware. \r\nThis framework allows anyone to develop a malicious app with the desired icon and communication address.\r\nSome of the icons used can be seen below. We found 280 such apps in the past three months. A complete list of\r\nhashes can be found here.\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 9 of 11\n\nFigure 11: Icons used to pose as famous apps.\r\nAll of these apps are developed by the same framework and hence have the same package name and certificate\r\ninformation as seen in Figure 12.\r\nFigure 12 : Package name and certificate information.\r\nConclusion  \r\nDue to the ubiquitous nature of mobile devices and the widespread use of Android, it is very easy for attackers to\r\nvictimize Android users. In such situations, mobile users should always take the utmost precautions while\r\ndownloading any applications from the internet. It is very easy to trick victims to fall for such attacks.\r\nUsers looking forward to using the TikTok app amidst the ban might look for alternative methods to download the\r\napp. In doing so, users can mistakenly install malicious apps, such as the spyware mentioned in this blog.\r\nThe precautions you take online have been covered extensively in almost all of our blogs; even so, we believe this\r\ninformation bears repeating. Please follow these basic precautions during the current crisis—and at all times: \r\nInstall apps only from official stores, such as Google Play.\r\nNever click on unknown links received through ads, SMS messages, emails, or the like.\r\nAlways keep the \"Unknown Sources\" option disabled in the Android device. This disallows apps to be\r\ninstalled on your device from unknown sources. \r\nWe would also like to mention that if you come across an app hiding it's icon, always try to search for the app in\r\nyour device settings (by going to Settings -\u003e Apps -\u003e  Search for icon that was hidden). In the case of this\r\nspyware, search for app named TikTok Pro.\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 10 of 11\n\nMITRE TAGS \r\nAction Tag ID\r\nApp auto-start at device boot T1402\r\nInput prompt T1411\r\nCapture SMS messages T1412\r\nApplication discovery T1418\r\nCapture audio T1429\r\nLocation tracking T1430\r\nAccess contact list T1432\r\nAccess call log T1433\r\nCommonly used port T1436\r\nStandard application layer protocol T1437\r\nMasquerage as legitimate application T1444\r\nSuppress application icon T1508\r\nCapture camera T1512\r\nScreen capture T1513\r\nForeground persistence T1541\r\nSource: https://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nhttps://www.zscaler.com/blogs/security-research/tiktok-spyware\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zscaler.com/blogs/security-research/tiktok-spyware"
	],
	"report_names": [
		"tiktok-spyware"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775441434,
	"ts_updated_at": 1775826757,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b744b062f502ada40ebaf50e1c72f9f3b5fb6ad4.pdf",
		"text": "https://archive.orkl.eu/b744b062f502ada40ebaf50e1c72f9f3b5fb6ad4.txt",
		"img": "https://archive.orkl.eu/b744b062f502ada40ebaf50e1c72f9f3b5fb6ad4.jpg"
	}
}