TikTok's Data Theft and a Trojan Threat to Latin America
August 18-24, 2022 | Issue 20 - Counterintelligence and Cyber (CICYBER)
Marina Tovar, Richard Flood, CICYBER Team
Shachi Gokhale, Editor; Hannah Norton, Senior Editor
Date: August 18, 2022
Parties involved: TikTok; TikTok Users; software researchers; third-party organizations; data distributors
The event: TikTok’s new in-app browser monitors users' activity on external sites as the app’s algorithm inserts code that collects users’ keystrokes patterns when opening links. Capturing keystrokes could allow TikTok to capture information such as credit card details or login credentials. Software researchers report that this type of monitoring is an active way for TikTok to track user data.
Analysis & Implications:
TikTok will likely continue monitoring keystrokes and data to gather user credentials allowing access to accounts. It is very likely the data is valuable from a sharing and marketing standpoint to technological companies who would pay for it. TikTok could very likely capture the card details of multiple users using account credentials, very likely giving TikTok access to the user's bank account and payment history. TikTok could very likely transfer funds or hold data for ransom to obtain financial profits from users by threatening to share or sell their data to third-party organizations like data distributors.
TikTok will very likely suffer reputational losses as users lose confidence in the platform’s security, likely leading them to move to different apps with similar features like Instagram. TikTok will likely remove this code in an attempt to win back users' trust and mitigate reputational losses. Any returning TikTok users will very likely make themselves aware of reports regarding algorithm changes due to concerns of data protection to ensure their activity is not monitored. New users will very likely be unaware of algorithm changes unless software researchers report on data security or they suffer from data theft.
Date: August 20, 2022
Location: Latin America; Spain
Parties involved: Spanish financial institutions; Spanish Public Ministry; Mexico City Attorney General’s Office; Latin American financial institutions; chemicals manufacturing industry; logistics and civil industry; industrial construction industry; unknown threat actors; distributors; customers; clients
The event: Unknown threat actors are using a banking trojan named Grandoreiro, targeting Latin American and Spanish industries, such as chemicals manufacturing, logistics and civil, and industrial construction. The hackers send a phishing email impersonating the Attorney General’s Office of Mexico City or the Public Ministry from Spain to lure victims into downloading a ZIP document containing the banking trojan. Grandoreiro allows the threat actors to gather system information, and retrieve a list of installed antivirus solutions, cryptocurrency wallets, and mail apps, which will be sent to a remote server the hackers can access.
Analysis & Implications:
Threat actors very likely target the manufacturing, logistics, and construction industries due to their role as intermediaries in the production process of goods and services. Intermediary sectors are more likely to contain more information supply chain data than industries that deal directly with the end user. More information will very likely lead to a larger number of targeted individuals, very likely conducting spear phishing attacks to increase financial profits. Spear phishing will very likely address attacks on distributors, customers, and clients, very likely reducing the predictability of attacks.
The hackers very likely collect the list of installed antivirus solutions to know what system defenses organizations within the intermediate sector have, likely to customize the attack to avoid detection. The hackers will very likely exploit the system’s vulnerabilities and flaws to create backdoors for future attacks, likely retrieve new information the victims have added to their systems. The hackers will very likely threaten these victims within intermediate organizations for financial profit, likely using impersonation or personalized spear phishing attacks. The threat of more attacks against victims within this sector will very likely lead to the implementation of security softwares and prevention scans to decrease the risk of data stolen from specialized phishing attacks.
The Counterterrorism Group (CTG)
 Tik Tok In-App Browser Includes Code That Can Monitor Keystrokes, Researcher Says, Forbes, August 2022, https://www.forbes.com/sites/richardnieva/2022/08/18/tiktok-in-app-browser-research/?sh=752341bb7c55
 “A banking trojan is malware that steals credentials from a financial institution’s clients or gains access to their financial information.” Banker Trojan, Investopedia, July 2022, https://www.investopedia.com/terms/b/banker-trojan.asp
 New Grandoreiro Banking Malware Campaign Targeting Spanish Manufacturers, The Hackers News, August 2022, https://thehackernews.com/2022/08/new-grandoreiro-banking-malware.html