This article is more than 1 year old
Criminals use trending TikTok challenge to make data-stealing malware invisible
PSA: Don't download unknown apps even if they promise naked people
Malware-slinging miscreants are taking advantage of a trending TikTok challenge — and viewers' dirty minds — to spread data-stealing malware via a phony app that's had more than one million views so far.
The new TikTok trend is called Invisible Challenge, and it involves a person filming themself naked while using an effect called Invisible Body that removes the body from the video. So instead of seeing actual skin, the viewers see a blurred, contour image.
TikTokkers tag these videos #invisiblefilter, and as of Tuesday morning this tag has more than 27 million views. This level of popularity presents a perfect opportunity for cybercriminals, and they wasted no time jumping on the TikTok trend to deploy software nasties.
Soon after Invisible Challenge started trending, miscreants began posting TikTok videos with links to fake "unfilter" software that claims to remove the invisible filter and show the naked video creator, according to security researchers at Checkmarx.
TikTok users posted videos with more than a million views promoting this phony app and urging viewers to join a Discord server, "discord.gg/unfilter" to download it, researchers Guy Nachshon and Tal Folkman wrote in a report.
After joining the "Space Unfilter" Discord server, viewers see some NSFW videos that the criminals claim to have obtained by using the unfilter software and they receive a private message with a request to star the GitHub repository 420World69/Tiktok-Unfilter-Api. More than 30,000 members have joined the Discord server and that number keeps growing, according to Nachshon and Folkman.
The GitHub repo purports to be an open-source tool to remove the invisible body filter, but — surprise! — it contains malicious files: specifically a .bat script that installs a Python package listed in the requirements.txt file with a WASP stealer hidden inside.
After tricking people into downloading the malware, the criminals have access to victims' devices, including Discord passwords and contacts, which they can then use to spoof the victim and scam their contacts.
- TikTok accused of covert plot to track specific US citizens' every move
- WASP malware stings Python developers
- FYI: TikTok tracking pixels can be found all over the web – just like Meta, Google
- TikTok faces $29m fine for 'failing to protect UK kids' privacy'
As users have discovered and reported the malicious package, miscreants have added new ones under different names in attempts to evade detection. "It seems this attack is ongoing, and whenever the security team at Python deletes his packages, he quickly improvises and creates a new identity or simply uses a different name," the researchers wrote.
This attack is just the latest example of criminals following the user base, according to Rick McElroy, principal cybersecurity strategist at VMware. "Given the user base of TikTok, this type of activity is not shocking," he told The Register. "From a consumer perspective, they should not enable untrusted third-party applications and should rely on Apple Store controls for software vetting."
It's also a cautionary tale to users to be mindful of how much access TikTok has to their data and devices, McElroy said. ®