Cybercriminals are taking advantage of a challenge in the popular Chinese app TikTok to deceive Internet users and get them to download malicious code to their terminals. Specifically, according to cybersecurity company Checkmarx, criminals are taking advantage of the viral challenge’unseen challenge‘ (‘invisible challenge‘, in English), in which users record themselves naked while dancing, taking advantage of a filter that makes their bodies translucent, so that, in the end, everything is left to the imagination.
Specifically, criminal attackers post TikTok videos with links to fake software called ‘unfilter‘ which, they claim, you can remove these TikTok filters. So the user could see who appears in the recording completely naked. At least, if it were not a trap to ‘hack’ the device.
Specifically, the cybersecurity company detected two accounts on the platform, which are no longer operational, that offered this software capable of deleting the filter to users who wanted to download it. Between them, they got a million views on the videos in which they shared the link from which, they claimed, Internet users could download this software.
The direct link redirected to a Discord server from where the tool could be installed. The server contains different videos that supposedly show the results of the ‘software’ and sends an automatic private message that goes to GitHub, which is where the malicious software is hosted. Although the repository page has positive ratings and ratings, the download files include a package written in malicious Python.
From Checkmarx they point out that the Python teams have removed the malicious packages on several occasions, but the creator continues to create new ones under different identities. They also point out that it is “worrying” the number of people who have tried to join the server from Discord and install the ‘software’, more than 30,000 as of November 28.
“These attacks again demonstrate that cyber attackers have started to focus their attention on the open source package ecosystem. We believe that this trend will only accelerate in 2023,” they point out.
All cybersecurity experts recommend systemically distrusting all those messages and offers that seek to tempt the user with tools that sound incredible. Beyond that, using software to attempt to violate another user’s privacy is far from ideal, whether we’re talking from an ethical or legal point of view.