IT NEWS

In the April 2023 Android security bulletin, Google announced security updates which include fixes for two critical remote code execution (RCE) vulnerabilities and one vulnerability that has been exploited in the wild. The vulnerabilities are impacting Android systems running versions 11, 12, 12L, and 13. Users should update as soon as they can.

What needs to be done

If your Android is on security patch level 2023-04-05 or later, this will address all of these issues. Android partners are notified of all issues at least a month before publication, however this doesn’t always mean that the patches are available for devices from all vendors.

You can find your Android’s version number, security update level, and Google Play system level in your Settings app. You should get notifications when updates are available for you, but you can also check for updates.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Two critical vulnerabilities

Google never discloses a lot of details about these vulnerabilities. Access to bug details and links are usually restricted until the majority of users are updated with a fix. Here’s what we know so far:

CVE-2023-21085: A vulnerability in the System component which allows a remote attacker to execute arbitrary code. The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

When a program is unable to perform a proper verification of input, using unintended input can influence program data flow handling. Attackers can abuse this by creating input data that can cause changes of control flow, arbitrary control of a resource, or arbitrary code execution.

CVE-2023-21096: Another vulnerability in the System component which allows a remote attacker to execute arbitrary code. The vulnerability exists due to improper input validation within the System component. A remote attacker can trick the victim to open a specially crafted file and execute arbitrary code.

One vulnerability exploited in the wild

CVE-2022-38181: A vulnerability in the Arm Mali GPU kernel driver allows unprivileged users to access freed memory because GPU memory operations are mishandled. This use-after-free (UAF) vulnerability allows a local application to escalate privileges on the system. A local application can trigger memory corruption and execute arbitrary code with elevated privileges. This vulnerability is known to be exploited in targeted attacks and was first spotted in November 2022.

UAF is a type of vulnerability that is the result of the incorrect use of dynamic memory during a program’s operation. If, after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code. By using dynamic memory allocated to a program with higher privileges, the attacker can use those privileges to execute his code.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using Malwarebytes Vulnerability and Patch Management.

Fake it till you make it ransomware groups are trying to get rich off the backs of genuine ransomware authors. Why are they “fake it till you make it”? Because they don’t actually create ransomware or compromise networks in any way. They’re simply lying through their teeth and hoping that recipients of their messages don’t realise until it’s too late.

As reported by Bleeping Computer, a group named Midnight has been using this tactic since at least March 16, and the organisations affected all seem to be located in the US. 

The battle plan of a fake ransomware group

The general approach is as follows:

• Claim to be a different, genuine ransomware group. If the scammers claim to be some sort of obscure (but known) affiliate or spin-off, so much the better. The target will confirm the group exists with a quick Google search, but won’t be able to do much more beyond that.
• Use a panic inducing email subject. “Notifying you about your business’s security case, we accessed your information” is one example given.
• The bigger the theft claim, the better. They talk of accessing HR records, employee records, personal and medical data. In one “attack” 600GB of data was supposedly taken from business servers.
• Targeting genuine victims by accident or design. Some businesses targeted by the fakers had indeed suffered a ransomware attack of some kind previously. Either the scare tactic mails are being blasted out to a large audience to see what comes back, or there is some deliberate targeting of organisations going on.

Nothing new, but potentially disastrous all the same

Fake mails are nothing new. 18 years of one 419 mail is as good an example as any. Send enough emails out and somewhere will fall for it eventually. The bogus ransomware extortion attempt even has a name, in the form of “Phantom Incident Scam”.

Even so, this is an area of attack where having a good response strategy for people hoping you’ll fall for a technology based lie is very effective. If your incident response consists of opening up one of these missives, panicking, and racing to pay fraudsters, it could end up being a very costly and needless mistake. Whether you’re aware of your organisation having had a genuine breach or not, someone on a chart as a point of contact for such an eventuality will come in very handy indeed.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Western Digital, a big brand in digital storage, says it has suffered a “network security incident—potentially ransomware—which resulted in a breach and some system disruptions in its business operations.

The company identified the incident on March 26 and said an unnamed third party unlawfully accessed several computer systems to steal data. The investigation is ongoing and Western Digital has yet to learn how much was taken. 

Since the incident, Western Digital’s consumer cloud and backup service My Cloud has experienced outages, preventing customers from accessing their files. My Cloud Home, My Cloud Home Duo, My Cloud OS5, SanDisk ibi, and SanDisk Ixpand Wireless Charger all experienced service interruptions. 

Westen Digital said in its press release:

“The Company is implementing proactive measures to secure its business operations including taking systems and services offline and will continue taking additional steps as appropriate. As part of its remediation efforts, Western Digital is actively working to restore impacted infrastructure and services. Based on the investigation to date, the Company believes the unauthorized party obtained certain data from its systems and is working to understand the nature and scope of that data.”

Western Digital is a billion-dollar company, making it a target for criminals aiming to cash in. In the first quarter of 2023 alone, it received a revenue of $3.1B.

We’ll update this story as we learn more.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

TikTok has been ordered to pay a fine of $15.6M (£12.7M) for failing to protect 1.4 million UK children under the age of 13 from accessing its platform in 2020. The Information Commissioner’s Office (ICO), the UK’s data protection watchdog, imposed the fine after finding the company used children’s data without parental consent.

According to the ICO, the company may have used the data for tracking and profiling purposes. It may have also presented children with content deemed potentially harmful or inappropriate.

“There are laws in place to make sure our children are as safe in the digital world as they are in the physical world. TikTok did not abide by those laws,” said John Edwards, information commissioner for the ICO.

“TikTok should have known better. TikTok should have done better.”

Edwards told BBC News that TikTok had “taken no steps” to get parents’ consent.

“If you’ve been looking at content which is not appropriate for your age, that can get more and more extreme. It can be quite harmful for people who are not old enough to fully appreciate the implications and to make appropriate choices.”

In an interview with the BBC, Prof Sonia Livingstone, a researcher who studies children’s digital rights and experiences at the London School of Economics and Political Science, said she was happy the ICO had taken action against TikTok but fears the fine could be “shrugged off as the cost of doing business,” implying that nothing much might change with how TikTok operates.

“Let’s hope TikTok reviews its practices thoroughly and make sure that it respects children’s privacy and safety proactively in the future,” she said.

A TikTok spokesperson said the company invests “heavily to help keep under 13s off the platform and our 40,000-strong safety team works around the clock to help keep the platform safe for our community.”

“We will continue to review the decision and are considering next steps,” the spokesperson added.

The ICO gave TikTok 28 days to appeal the fine.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

The channel, comprising managed service providers (MSPs), Systems Integrators (SIs), value-added resellers (VARs), and more, plays a vital role in providing cybersecurity for companies around the globe today. But as malware evolves and cyberattacks become more common, keeping up with the top threats to the channel can be difficult.

With a plethora of cyberthreats out there, which ones should channel partners focus on in 2023?

Malwarebytes addresses this question in the 2023 State of Malware Report, identifying the five most potentially damaging malware threats that MSPs, SIs, VARs, including their clients, should prioritize.

Key channel threats in the 2023 State of Malware Report

One example of threats the channel should prepare for is the email-borne Emotet Trojan, a notorious threat that continues to plague businesses. The report also highlights the growing issue of ransomware attacks, 39% of which target service providers according to Kaseya’s 2022 MSP Benchmark Survey.

A particular focus is on the ransomware group LockBit, which was responsible for the majority of ransomware attacks in 2022. In February 2023 alone, the group published 126 victims on its leak page. LockBit affects companies of all sizes, from hospitals to small and large businesses.

Our report serves as a valuable resource for channel partners, helping them optimize defense strategies and take both proactive and reactive measures in the fight against the most damaging malware threats of the year. By using the insights from the report, the channel can better protect their own organizations as well as their customers’.

The role of channel partners in cybersecurity

The channel is pivotal to helping their clients adapt to the ever-changing threat landscape and avoid falling victim to devastating cyberattacks. As channel partners make their way into 2023, they can stay ahead of the curve by keeping these tips in mind:

• Prioritize the top five malware threats identified in the Malwarebytes report and implement targeted defense strategies to protect clients against these risks.
• Read our Threat Intelligence blog to keep informed about the latest cyberthreats, such as the activities of ransomware groups like LockBit, to ensure your clients are prepared for emerging risks.
• Educate your clients about the evolving threat landscape and help them develop a culture of security awareness within their organizations.
• Continuously evaluate and optimize your security offerings to ensure they meet the needs of your clients and protect against the latest threats.

Channel partners are uniquely positioned to guide companies through the complex cybersecurity landscape. As trusted advisors, they play a crucial role in educating businesses about the latest threats, providing tailored security solutions, and ensuring that their clients—and themselves—can continue to operate securely and efficiently. Read the full report below to learn more.

Get the full 2023 State of Malware report for the channel

CISA (Cybersecurity and Infrastructure Security Agency) has published the first results of its pre-ransomware notifications that were introduced at the start of 2023.

Even though this initiative is relatively young, CISA says it has notified over 60 entities across the energy, healthcare, water/wastewater, education, and other sectors about potential pre-ransomware intrusions, and we’ve confirmed that many of them identified and remediated the intrusion before encryption or data loss occurred.

In order to develop the pre-ransomware notifications, CISA established the Joint Cyber Defense Collaborative (JCDC) to “unify cyber defenders from organizations worldwide”. The team proactively gathers, analyzes, and shares actionable cyber risk information.

The success of the operation relies on a few key factors:

• Sharing intelligence by the cybersecurity research community, infrastructure providers, and cyber threat intelligence companies about potential early-stage ransomware activity.
• Getting that information to the victim organization and providing specific guidance about containing the threat.
• The time cybercriminals take from the initial security breach to the full-fledged ransomware attack.

Basically, the more information organizations give about early-stage ransomware activity, the better the information the JCDC can provide. This information also helps to keep lists like the known to be exploited vulnerabilities catalog up to date and helps create ransomware vulnerability warnings which inform organizations that a vulnerability used by ransomware threat actors is present on their network.

But how do pre-ransomware notifications work in real life?

Let’s take the fake IRS mail we reported about last week as an example. My colleagues found an email being sent out with the title of “IRS Tax Forms W-9” which appears to have been sent from “IRS Online Center”. In reality, the attachment contains a malicious macro. Enabling the content of the attachment will result in Emotet being downloaded onto the system.

The JCDC can in turn share this information with potential victims. “Have you seen this mail? Did anyone open the attachment? Did they use the “Enable Content” button? Here is what you can do to prevent your systems from getting encrypted. These are the tactics, techniques, and procedures (TTPs) and Indicators of Compromise (IOCs) you need to look for. And this call-to-action can be pretty specific because they know that any potential victims should be looking for Emotet.

For many non-profit organizations that can’t afford their own security team or an external Managed Detection and Response (MDR) service, this is very helpful and, as CISA concludes, has proven its usefulness. While the pre-ransomware notifications service is aimed at US organizations, JCDC works with international Computer Emergency Readiness Team (CERT) partners to enable a timely notification when it concerns a company outside the US.

The more information we share, the better the information JCDC can provide gets. Any organization or individual with information about early-stage ransomware activity is urged to contact Report@cisa.dhs.gov. If your organization is interested in participating in these collaborative efforts to stop ransomware, please visit cisa.gov/JCDC-faqs or email cisa.jcdc@cisa.dhs.gov.

Every US ransomware incident should be reported to the US government. You can find information on reporting at stopransomware.gov.

How to avoid ransomware

• Block common forms of entry. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
• Detect intrusions. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
• Stop malicious encryption. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
• Create offsite, offline backups. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
• Don’t get attacked twice. Once you’ve isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Twitter has made some fairly major changes to how its verified checkmark status works, and it’s already causing some confusion. If you rely on the checkmark symbol for confirmation that the individual or business tweeting is actually the real deal, your regular process is now different.

How verifying identity on Twitter used to work

Previously, the blue checkmark indicated a number of factors. The individual may have been “notable” in terms of work, celebrity status, or some other aspect. Primarily, it was a way to confirm someone or something was real, accurate, and true. An identity had been verified, typically via Government issued identity documents like a passport. If you sent a message to John Cena (with the verified blue checkmark), you were absolutely sending a message to John Cena. If Mark Hamill replied, you were absolutely having a conversation with Mark Hamill.

Hovering over the checkmark on one of the originally verified accounts used to say this:

“This account is verified because it’s notable in government, news, entertainment, or another designated category”.

Changing the checkmark system with Twitter Blue

Recently, this process underwent some change with the introduction of Twitter Blue, a subscription service that costs a minimum of $8 a month to gain additional features over non-paying users. Controversially, Blue accounts gained the same visual checkmark as verified accounts despite not using the same identity verification process. This resulted in an early wave of imitation accounts causing confusion.

Shortly after the Blue launch, the original verified accounts had their hover text altered to say this:

“This is a legacy verified account. It may or may not be notable”.

Twitter Blue subscribers, who had paid their $8 a month to gain a checkmark, had this for their hover text:

“This account is verified because it’s subscribed to Twitter Blue”.

This was already somewhat confusing, as there’s a difference between confirming identity via Government issued ID and obtaining a tick associated with identity verification by paying $8 a month. However, users would be put through even more changes.

We’re not losing a tick, we’re gaining…confusion?!

Twitter recently announced that all legacy accounts would lose their checkmark on April 1. It seems as though it may have been too difficult to do this, and a new needlessly confusing solution has been put in place overnight.

All accounts with a checkmark of any kind now say this:

“This account is verified because it’s subscribed to Twitter Blue or is a legacy verified account.”

There is now no easy way to tell at a glance if what you’re looking at is (for example) the real Lady Gaga, a law enforcement agency, an emergency alert system, or anything else. A perfect example of this happened earlier today when well-known UK personal finance expert Martin Lewis flagged up an imitation Twitter account promoting a bogus website.

So this FAKE ACCOUNT… https://t.co/zlX5BoeLiT promoting crypto has a blue tick? Lets see whether it is taken down when I report this impersonation.

— Martin Lewis (@MartinSLewis) April 3, 2023

This is a screenshot of the fake account in question. Notice that it is using a photo of the real Martin Lewis as its own profile picture, and that, while the actual Twitter handle is different, the display name shows, simply, “Martin”:

Note that the faker has disabled replies, to make it harder to call out the imitation in the thread itself.

The fake account sports 25.7k followers, has been around since 2013, and to many people would reasonably enough look like the real thing.

Both the imitation and the real account present users with the “This account is verified because it’s subscribed to Twitter Blue or is a legacy verified account” messaging.

The site the imitation linked to has already been shut down but was something to do with cryptocurrency.

This isn’t great for Twitter users. What can you do about it?

Some tips for establishing Twitter authenticity

There are still a few ways to know for sure if an account is subscribed to Blue, or has one of the originally verified checkmarks. A caveat: these may eventually stop working, and as we’ll see further down, there are limits to how well some of these tricks may work.

1. Look for the @Verified Twitter account. If the Verified Twitter account follows the individual or entity you’re interested in, then that account was verified pre-Blue and had some form of actual identity verification confirmed.
2. Browser extensions can help. A number of extensions still display the status of the accounts you look at. For example, here’s one called Eight Dollars for Chrome. If a checkmarked account is pre-Blue, it’ll say “Verified.” If not, it’ll say “$Paid.” Again, please note that functionality for extensions like these may stop working at some point.
3. Use Twitter search. Certain kinds of search string will still (for the time being) reveal if a user is legacy or paid. 

Using the extension as an example, we can now see the difference between the real Martin Lewis and the faker. Here’s the real Martin Lewis while running a checkmark focused extension:

Here’s the fake Martin Lewis while running the same extension:

The difference is clear. One of these accounts belongs to the originally identity verified Martin Lewis, and the other is a paid Twitter Blue subscription.

But there’s one more case to look at to understand Twitter verification today and likely into the future—and where this current reliance on browser extensions fails.

The New York Sign of the Times

We currently have a former Simpsons writer pretending to be the New York Times. Bill Oakley is likely doing this because Elon Musk directly removed the NYTimes checkmark after the publication said it wouldn’t pay for Twitter Blue.

Because of his account having been originally verified as himself, we now have a situation where a fake New York Times account says this:

The profile is tagged as potentially being a legacy verified account or subscribed to Twitter Blue. Meanwhile, the account shows as “Verified” with one of the browser extensions as a result of Oakley already having been verified as himself. For a time, Twitter did not allow legacy verified accounts to change their display name but that no longer seems to be the case. We can also deduce that this is definitely not the New York Times because you can see “thatbilloakley” is the username just underneath the Verified Account popup. Even so: a “verified” fake New York Times account, tagged as the real deal by a verification confirmation checking browser extension.

Confusing? You bet!

It’s worth pointing out that some originally verified legacy accounts will have since subscribed to Twitter Blue. It’s impossible to say how browser extensions would deal with that situation, so unless the Twitter Verified account is following the account you happen to be looking into, you may be out of luck.

For now, it’s a case of keeping your wits about you and not taking anything you see on social media for granted. This is good advice at the best of times, and it’s definitely worth sticking to at present. Another simple rule of thumb? If a celebrity is suddenly hawking cryptocurrency or some other too-good-to-be-true deal, they’re likely to be running a scam. Stay safe out there!

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

A new macOS malware—called MacStealer—that is capable of stealing various files, cryptocurrency wallets, and details stored in specific browsers like Firefox, Chrome, and Brave, was discovered by security researchers from Uptycs, a cybersecurity company specializing in cloud security. It can also extract the base64-encoded form of the database of Keychain, Apple’s password manager. Users of macOS Catalina (10.5) and versions dependent on Intel M1 and M2 are affected by this malware.

And while MacStealer appears to be the mac malware to watch, it is pretty rudimentary, according to Thomas Reed, Malwarebytes’ director of core technology. “There is no persistence method, and it relies on the user opening the app,” he adds, considering the foreseeable features the developer wants to add to MacStealer in the future.

MacStealer uses channels in Telegram as its command-and-control (C2) center. The malware has been promoted on a dark web forum since the beginning of March. According to the developers, it’s still in the early beta stage, thus lacking a builder and panel. These are also why the developers distribute MacStealer as a malware-as-a-service (MaaS), selling at a low price of $100 and promising more advanced features in the future.

MacStealer arrives to target macOS systems as an unsigned disk image (.DMG) file. Users are manipulated to download and execute this file onto their systems. Once achieved, a bogus password prompts users in an attempt to steal their real password. MacStealer then saves the password in the affected system’s temporary folder (TMP).

The malware then proceeds to collect and save the following also within the TMP folder:

• Account passwords, browser cookies, and stored credit card details in Firefox, Chrome, and Brave
• Cryptocurrency wallets (Binance, Coinomi, Exodus, Keplr Wallet, Martian Wallet, MetaMask, Phantom, Tron, Trust Wallet)
• Keychain database in its encoded (base64)form
• Keychain password in text format
• Various files (.TXT, .DOC, .DOCX, .PDF, .XLS, .XLSX, .PPT, .PPTX, .JPG, .PNG, .CVS, .BMP, .MP3, .ZIP, .RAR, .PY, .DB)
• System information in text form

MacStealer also compresses everything it stole in a ZIP file and sends it to remote C&C servers for the threat actor to collect later. At the same time, a summary version of the information it stole is sent to pre-configured Telegram channels, alerting the threat actor that new stolen data is available for download.

A data summary of what has been stolen by MacStealer. The threat actors receive this on their personal Telegram bot. (Source: Uptycs)

MacStealer being an unsigned DMG file is also a barrier for anyone, especially beginners, attempting to run the program on a modern mac, said Malwarebytes’ Reed. “Its attempt at phishing for login passwords is not very convincing and would probably only fool a novice user. But such a user is exactly the type who would have trouble opening it.”

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Last week on Malwarebytes Labs:

• Solving the password’s hardest problem with passkeys, featuring Anna Pobletts
• Food giant Dole reveals more about ransomware attack
• Bogus Chat GPT extension takes over Facebook accounts
• Ransomware gunning for transport sector’s OT systems next
• GitHub accidentally exposes RSA SSH key
• ChatGPT helps both criminals and law enforcement, says Europol report
• Fake DDoS services set up to trap cybercriminals
• ChatGPT happy to write ransomware, just really bad at it
• “Log-out king” Instagram scammer gets accounts taken down, then charges to reinstate them
• Stopping the top 5 cyber threats of 2023: A ThreatDown webinar recap
• Smart home assistants at risk from “NUIT” ultrasound attack
• [Update] 3CX desktop app used in a supply chain attack
• “BingBang” flaw enabled altering of Bing search results, account takeover
• Update now! Apple fixes actively exploited vulnerability and introduces new features
• Steer clear of this EE phish that wants your card details
• 3 tips to raise your backup game
• 3 tips for creating backups your organization can rely on when ransomware strikes

Stay safe!

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Since 2020, several governments and organizations have banned, or considered banning, the immensely popular social media app TikTok from their staff’s devices.

With all these alarming bells ringing, we thought it might be handy to break down what we know and see if we can plot a sensible strategy from there. So, if your hair is on fire, extinguish it and consider this with a cool head.

If you prefer listening over reading, we covered this topic in a recent LinkedIn Live.

TikTok is an immensely popular social media platform that allows users to create, share, and discover, short video clips. It’s received explosive growth since it first appeared in 2017, and now it claims to have well over 1 billion users, an estimated 150 million of them in the US.

In 2020, India was the first country to ban TikTok, along with some 200 other Chinese apps that were all blocked from operating within the country. The decision came two weeks after a Chinese military operation in India’s northern border lead to the death of at least 20 Indian soldiers.

In the same year, retail giant Amazon sent a memo to employees telling them to delete the popular social media app from their phones. Even earlier, in December of 2019, the US Army banned the use of the app on government-issued phones.

Other US agencies and other governments have followed suit since then, or are planning to do so. During a US Senate hearing, General Paul Nakasone, Director of the National Security Agency (NSA) stated that “America’s TikTok-addicted youth is playing with a loaded gun.”

We can break down the potential problems with TikTok in 3 main categories:

• The data
• The algorithm
• The app itself

Let’s start by saying that all of the above categories are present in many other social media apps. The differentiating factor for TikTok is that it is owned by a Chinese company called Bytedance. It’s these ties with China and the ruling Chinese Communist Party (CCP) that have created so much concern among nations and their government agencies. 

The data

In general, it is safe to say that every free social media app makes money by using and selling the data of large groups of people for advertising purposes. The more specific to smaller groups these data can be refined, the bigger the privacy concern. Can TikTok be used to spy on certain groups of people? Definitely! TikTok has admitted that employees used its own app to spy on reporters as part of an attempt to track down the journalists’ sources. The company fired 4 employees for doing so.

We have seen similar cases in other social media apps. For example, a Twitter employee that was sentenced to more than three years in prison for spying for Saudi Arabia. With the amount of readily available information, there will always be those that use it for their own purposes, good or bad.

The algorithm

Control of the algorithm provides an opportunity to be an influencer. By the algorithm we mean the code in the app that tries to optimize the time you spend on the app, by showing you videos that it has determined you might be interested in. Knowing which reels show up on your feed tells us something about you. If nothing else, it will tell us what you prefer watching. Be it kittens, fails, or dance routines. What worried Christopher Wray, the Director of the FBI, is the possibility that the CCP might take control of the TikTok algorithm to conduct hard-to-detect influence operations against Americans. By deciding what you see, the Chinese government might influence your opinion about matters.

Again, neither the algorithm nor the utilization for influence are exclusive to TikTok. International state actors are increasingly leveraging social media platforms to spread computational propaganda and disinformation during critical moments of public life. Last year, we discussed some stats provided by YouTube about their battle against misinformation.

The app

Most people will install TikTok on their personal devices, especially now that many organizations have or are considering a ban for the app on company-provided devices. And, so far, nobody has found anything malicious in the app. But as an app it has access, although limited, to information on your device and about other devices on the same network. This information could be used for nefarious motives, but there has been no proof of that. Another worry is that this behavior could change with one update, and whether that next update will be secretly malicious. But this is true for any app, whether the developer introduces the malicious code or whether it comes as part of a supply-chain attack.

Should I be worried?

The risks of allowing TikTok on corporate or hybrid devices very much depends on your threat model. While it is understandable that governments, the military, or defense contractors are among the first to ban TikTok from these devices, many other organizations are facing a lot of threats that are a much greater concern. On the other hand, if the app, or any other app, is not needed for work purposes, why would you allow it on a corporate device? Using Mobile Device Management (MDM) can go a long way in keeping risks and distractions away from corporate devices.

Banning the app from personal devices that are used in a work environment is a whole different matter. Your employee satisfaction might even be a bigger concern than TikTok potentially spying on you.

During a recent congressional hearing, TikTok’s CEO Shou Chew said they were doing everything they could to accommodate the US:

“Our commitment is to move their data into the United States, to be stored on American soil by an American company, overseen by American personnel. So the risk would be similar to any government going to an American company, asking for data.”

I think we can agree with that last sentence. Until proof is provided that TikTok is worse than other social media apps, there is no compelling reason to treat it differently. But all social media apps should be regarded with reservations when it comes to privacy.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW