Security firm Avast has published the results of its investigation into TikTok accounts which are being used to promote adware scam apps.
Avast said it has discovered seven different adware scam apps available across the Google Play Store and the Apple App Store which have been downloaded over 2.4 million times.
Avast determined that these apps were being promoted by at least three TikTok profiles – one of which had over 300,000 followers. Investigators also found an Instagram account with over 5,000 followers promoting one of the apps.
The apps were primarily targeted at young people and took the form of game, wallpaper, and music downloaders.
“The apps we discovered are scams and violate both Google’s and Apple’s app policies by either making misleading claims around app functionalities, or serving ads outside of the app and hiding the original app icon soon after the app is installed,” said Avast threat analyst Jakub Vávra.
“It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them.”
Avast said the situation was first brought to its attention by a young child from the Czech Republic, who was part of Avast’s Be Safe Online project.
“This is a great example of this kind of education working,” said Avast communications director Whitney Glockner Black.
“Teach kids how to spot the bad things and they’ll spot them and report them.”
Avast also highlighted the following tips for both children and adults to protect themselves from scam apps:
- Pay attention to reviews – Negative reviews can often shed light on whether an app is a scam. For less popular scam apps, there are often a handful of “extremely positive and enthusiastic” reviews which can be a sign of something suspicious.
- Be critical about price points – Be sure to know exactly what you’re paying for, and whether the price asked makes sense.
- Check permissions – Determine that the app is only asking for permission that it would need logically.