The accusations against the Chinese app TikTok and countless other apps from China are very serious: The programs are alleged to siphon off a wealth of information about their users — data that has nothing to do with the actual function of the app and for whose collection there is no reasonable justification.
“With TikTok and the other malware apps, the app is not innocent at first and then happens to get compromised,” says IT security expert Stefan Strobel. “The developer of the app built back doors, spy functions and other things into the app from the outset and took great care to ensure that no one would notice.”
Strobel, the founder and CEO of the IT security company CIROSEC, advises German medium-sized companies on IT security issues. Some of these companies are active in China themselves. And so Strobel has ample experience with Chinese apps. In his view, the popular Chinese apps TikTok and WeChat are only the tip of the iceberg.
WeChat is a universal app that combines messaging with payment functions and other social media applications. It is very popular in China. Among IT experts, there is little doubt that all the data flowing through it is gathered completely by the Chinese regime.
Why is the app hiding something?
It’s not just TikTok and WeChat. There are thousands of apps involved — often free, but also commercial ones. “Again and again, you notice that for some strange reason a lot of money has been invested to make it difficult to analyze the apps,” says Strobel. “And then when you go to even more trouble and try to circumvent these protective functions to trace how the app was programmed, you realize that a lot of data is being collected and sent to China — data that is not really necessary.”
Many apps seem innocuous and harmless to start with. At first, there is only a small back door that an attacker can use later. “Even if you look at the app now, and it is only doing harmless things, the Chinese manufacturer is often able to extend the functionality at runtime,” says Strobel. “All of a sudden, the app does completely different things without having been updated somewhere from the app store.”
‘Everyone does it’ — not true!
This is by no means comparable to regular live updates as offered by Western software developers to their customers, he says. According to Strobel, the runtime updates of Chinese spy apps are not like those provided by Microsoft Office, for example. “With MS Office, as an end-user, I can agree to an update being installed,” he says. “The Chinese apps do this in a way that stays completely unnoticed by the end-users, without them even knowing that anything is being updated — possibly even while they are working with the app.”
TikTok is an example of how cleverly the attackers go about collecting information. The app is initially disguised as a harmless gimmick, but its data appetite grows over time and in tandem with its success. Once a large number of users work with it, a pull effect is created. “And when the app reaches a cool status and goes viral, and people say ‘Hey, you have to have that!,’ then at some point the manufacturer can extend the rights, and then the person installing it has to agree to even more,” Strobel says.
In this way, the user grants the app permission to do more and more. Many users also don’t understand what the app requires of them. If a window pops up, they simply agree. And all of a sudden, the app has access to users’ current location, can query where they are at any time and perhaps has access to their contacts and schedules. This must then be accepted by anyone wanting to use the app.
Preinstalled spy apps
The problem does not exist only with apps that users actively download from the app store. Often the malware is already installed on a smartphone when customers buy it.
“A lot of software on the devices come with third-party code, and many of the companies use that code without actually knowing where it’s coming from or who has built it. It’s part of the functionality, and the supply chain becomes very quickly tainted without any control,” says Angelos Stavrou, a founder of the US company Kryptowire.
At the end of last year, with his company, he found 146 cases of preinstalled malware on Android mobile phones from 26 different providers. The phones came from telecommunications companies, electronics stores or elsewhere. Hundreds more cases have since been added, Stavrou told DW at the IT Defense Conference 2020.
As examples, his colleague Ryan Johnson mentions two small programs called Lovelyfonts and LovelyHighFonts, which were discovered in 2019. They purported to be simply fonts that could make the display on the smartphone screen more appealing and playful.
In reality, both programs secretly launched an attack on the smartphone, tying up encrypted data packets and sending them to a server in Shanghai when the phone was not in use.
“Some of these applications actually won the system privileges and are considered part of the platform. And in that case, such applications can’t be disabled. So if there is a vulnerability in one of these apps or an app happens to be malicious, the general user can’t disable it,” says Johnson.
Fragmented software development as a risk factor
Android is somewhat more vulnerable to such malicious software than the Apple operating system IOS. This has to do with the fact that at Apple the development of the smartphones and the App Store with the software are in one hand. Apple can thus react faster and remove malicious software if it is detected.
With Android this usually takes longer. It has the Android Open Source Project (AOSP), where the various software developers can offer their products. Those who bring a smartphone onto the market can use the AOSP and collect the software components there that they believe the customer will like.
And there are almost as many app stores as there are telephone providers. “Any vulnerability in the AOSP that is going to be in the core Android software gets propagated to the vendors,” warns Johnson.
The German IT security expert Strobel also sees a security risk in this confusing landscape of manufacturers, developers and retailers. “There are many different parties, a fragmented market, because there are completely different hardware manufacturers who make modifications to the operating system and put their own stamp on it. All this means that things are not getting any more secure,” he says.
Malware already hidden in programmers’ tools
But even Apple is not completely protected against such attacks. The XcodeGhost also came from China around 2015. This was a manipulated and illegal copy of the Apple programming tool Xcode, which programmers need to write apps for MacOS or IOS.
“If you officially got the Xcode from Apple and developed using it, everything was fine. But if you got this environment through gray channels without paying and automatically integrated the malicious code into the app, then you had a problem,” says Strobel.
At the time, software developers programmed about 4,000 apps with the hacked software, unknowingly contaminating their products with malware. This seems a lot at first glance, but is a relatively small number compared to the almost 2 million apps currently available in Apple’s App Store.
Nevertheless, even Strobel has to admit that the XCodeGhost was truly professional work.
“Using the development environment to smuggle the malicious code into the app during development is, of course, a brilliant trick from an attacker’s point of view,” he says.
Smartphones still more secure than PCs
But what can we as users actually do to be safe when surfing with our smartphones? The good and perhaps surprising news is that smartphones are not actually as unsafe as they seem. “The basic concept of smartphone operating systems — both Android and IOS — is that an app runs in a sandbox and initially has very limited rights,” says Strobel.
Even a malware app — if the operating system has no open security flaws — cannot easily access what you do in other apps, let alone intrude into your operating system. In this respect, smartphones are usually more secure than normal computers. “For example, IOS is more secure than what I find on a normal Windows 10 PC, starting with the fact that I don’t have administrative rights on an IOS phone — even as a user — while I, of course, have them on my PC.”
A lot depends on the user
The important thing is to be wary. Not every gimmick has to be installed on your smartphone. And you should keep an eye on what you are giving the apps permission to do and not allow them everything. We have compiled an overview of secure apps for you here.
In the end, customers should ask also themselves whether, in view of the large amount of evidence pointing to the existence of Chinese spy apps and the prevailing lack of transparency of some manufacturers, is it absolutely necessary to have a smartphone from a Chinese manufacturer.
In the case of companies, they can protect the smartphones they issue to their staff against attackers by using the central management for company devices — the so-called MDM function. There, they can specify, for example, that only approved apps can be installed. They can also determine which networks users are allowed to connect to, what the Bluetooth settings are and much more.
That’s all not as much fun as TikTok, but at least the data stays where it belongs.
Read more: OONI: An app for detecting Internet censorship