Hackers Target TikTok’s “Invisible Body” Challenge to Spread Malware

TikTok’s “Invisible Body Challenge” was exploited by a highly sophisticated malware campaign targeting popular social media and open source platforms. The challenge encouraged people to post naked videos using TikTok’s invisible body filter, leaving a contoured cut-out of their bodies. 

The security issue was first reported by Checkmarx Solutions, a global security testing firm. The scale and success of this campaign is worrying, as cybercriminals went to great lengths to infect users from around the world.

Beware the “Wasp Stealer”: TikTok, Discord, GitHub

With nearly 30 million engagements, the challenge was targeted by cybercriminals who posted videos proclaiming software capable of removing the TikTok filter. The promise was that users could see naked body “behind” the filter. The videos reached more than a million views in a single day and the project, named “Nitro-generator,” landed on GitHub’s trend list.

The videos came with an invite link to a Discord server and private message prompting users to “star” the project on GitHub. Once on Discord, victims were directed to a webpage showing false “unfiltered” TikTok videos of naked people. Victims were invited to download the fake unfiltering tool from GitHub, summoning malware to infect their devices and harvest personal data.

Screenshot of attackers Discord server proclaiming fake unfiltering software
Checkmarx Image

The “Wasp Stealer” malware was hidden in malicious Python packages and labeled “unfilter,” among other names. The information-stealing package infects devices to harvest Discord account details, credit card information, passwords, computer files, and even cryptocurrency wallets.

According to Guy Nachson, security researcher at Checkmarx, they “can’t say the exact number of people who ran the malware,” noting that it’s the first time they’ve “seen that kind of activity and publicity that flies under the radar.” He also mentioned how alarming it was that hackers used “legitimate services” and “built a community” around the project.

While the Discord server has since been reported and removed, more than 32,000 TikTokkers joined it in search of the filter-removing software that would expose millions of peoples’ naked bodies. TikTok did not respond to multiple requests for comment. 

The project transmorphed through many iterations with new accounts popping up as others were shut down. This exhibits the hackers’ worrying persistence to exploit users and their unwillingness to back down despite challenges. 

An Extremely Persistent Attack

GitHub repeatedly removed the malicious code which led the threat actors to repackage the malware into malicious Python code. When flagged and removed, the hackers continuously created new accounts, file names, and malware packages, posing a perilous challenge to GitHub, the world’s largest open source community.

Image of GitHub 404 screen showing that the repo was removed.
GitHub took swift action once news came to light.

What Does This Mean For Digital Security?

The attack campaign demonstrates how hackers are focusing attention on legitimate, open-source ecosystems ⁠— threatening interest’s of netizens everywhere. Experts expect this trend to continue into 2023 which will force open source communities like GitHub into a precarious position. Can they still promote open source sharing when doing so puts netizens at risk?

As it stands, there’s no defense mechanism in place for persistent attack campaigns. Hackers can continue to freely create new accounts to spread malware to unwitting internet users.

Is TikTok a Cybersecurity Hazard?

Questions about whether TikTok poses a global security hazard have been raised in multiple countries. India already banned the Chinese-owned platform for allegedly “stealing and surreptitiously transmitting users’ data in unauthorized servers outside India.” Hong Kong (SAR China) is set to follow suit, but these efforts are likely part of a campaign to limit domestic citizens’ contact with external countries. 

While TikTok claims it does not share data with China’s government, there is reason to believe that the CCP has a tight grip over “private” companies within its jurisdiction, making it practically impossible for them to operate without official approval. As demonstrated by the Invisible Body Challenge, the easy-to-go-viral nature of TikTok content makes it a target for cybercriminals. 

Moreover, due its dubious privacy policy, TikTok is a fatal choice for individuals who care about digital privacy. Agreeing to install the app comes with allowing TikTok to monitor your keystrokes — keeping track of what you type —  and more.

Stay Safe Online

It’s important to remember to exercise extreme caution when clicking links or installing software. Unless it comes from a legitimate publisher, avoid downloading new programs — especially when recommended by people you don’t know on Discord.

Using a VPN can help you stay anonymous when browsing online. CyberGhost VPN offers military-grade 265-bit AES encryption and helps you conceal your IP address from websites you visit. Get CyberGhost VPN to improve your digital security.

Leave a comment

Write a comment

Your email address will not be published. Required fields are marked*