A social messaging app called ToTok has been surging in popularity around the world in recent weeks. If you happen to be one of the hundreds of thousands of users who downloaded it you should delete the app from your phone immediately.
United States intelligence officials, speaking to the New York Times Sunday, warned that ToTok isn't the secure platform it purports to be; instead, it's likely a surveillance tool that can funnel data to the government of the United Arab Emirates. Google removed the app from Google Play on Thursday and Apple removed it from the App Store on Friday, but ToTok will keep working—and potentially spying—if it’s already on your phone.
"Uninstall it yesterday," says Patrick Wardle, a security researcher at Jamf specialized in Apple operating systems who formerly worked at the National Security Agency. On Sunday, he released a technical analysis of ToTok.
Despite the companies' efforts to catch them during pre-screening, shady mobile apps still slip into Google Play and Apple's App Store. While invasive marketing practices and criminal data collection are bad enough, apps that function as an espionage tool of governments are an even greater concern.
ToTok claimed to be a "fast and secure calling and messaging app," but it did not specifically tout end-to-end encryption, the security feature that protects data from prying eyes at all times except on authorized users' devices. The app's privacy policy only addressed data storage: "Messages: all data is stored heavily encrypted so that local ToTok engineers or physical intruders cannot get access." The app emphasized that it offered unlimited voice and video calling plus messaging to anyone with an internet connection so users could stay in touch with family and friends around the world. And the app was especially appealing to users in the UAE, because it didn't have the functionality restrictions that the Emirati government places on many other communication apps like Skype and Whatsapp in the country. ToTok let users access a full suite of features for free, without needing to use a VPN or any other workarounds. In retrospect, given the circumstances in the UAE, the app was probably too good to be true.
"When you start analyzing an app like this you expect to find a backdoor or some zero day exploits,” Wardle says. “But the more I think about it, this is actually a more elegant approach, which is just leveraging completely legitimate functionality. What that gives you is a very cost effective, easy way to gain a ton of information on people."
The developer behind ToTok, Breej Holding Ltd., did not return a request for comment.
First released on July 27, ToTok spiked in popularity in the UAE in August and then spread to other Middle Eastern countries and the rest of the world from there. The app had scores of positive reviews, particularly from users in the UAE who were excited about its lack of restrictions. It was also ranked as a most popular app in many regions on Google Play and the App Store. The app had a combined total of 9.8 million installs—7.5 million on Google Play and 2.3 million on Apple's App Store—in the four and a half months it was live, according to the app intelligence firm Sensor Tower. November had been the app's largest download month yet with 3 million new installs.
The developer, Breej Holding Ltd., does not have an extensive online footprint. In his technical analysis of ToTok for iOS, Wardle found indications that the app was not developed from the ground up and instead was based on code from the Chinese communication app YeeCall, likely through some type of licensing agreement. The New York Times concluded that Breej Holding Ltd. is likely a shell company for DarkMatter, an Abu Dhabi-based digital intelligence firm that contracts directly with the Emirati government and employs former intelligence agents from countries like the United States and Israel. US authorities are currently investigating DarkMatter for possible hacking crimes.
In his analysis of ToTok for iOS, Wardle found that the app was set up to run continuously in the background. It would have requested permission to access users' microphones, location data, photos, camera, calendar, contacts, and Siri integration. The app provided explanations for why this access was necessary: for example, that location data was needed to display information about local weather.
The crucial thing to understand about ToTok is that it does exactly what it claims to do. It's not a flashlight app that's tracking your location or hoovering up your contacts for no apparent reason. It's a messaging app that uses the same type of private data any communication app or social platform would. The question is just who has access to that data once it reaches the developer's servers.
"The problem is where's the data going and who has access to it? And those are very, very hard questions to answer," Wardle says. "There's a large amount of plausible deniability, which is why it's a no-brainer approach to gain a high degree of surveillance. I'm not saying it's good or ethical, but if other countries aren't doing this, from their point of view they should."
It's unclear how tech companies will work to detect legitimate apps with no hidden functionality that are piping data to governments for mass surveillance. Apple said on Sunday that it is still researching ToTok. A spokesperson for Google said, “We take reports of security and privacy violations seriously. If we find behavior that violates our policies, we take action.”
But the incident with ToTok raises questions about apps like WeChat with longstanding, known ties to repressive governments. In recent weeks, the US government has been investigating the social media app TikTok's possible ties to the Chinese government.
For now, just make sure you've uninstalled ToTok, and tell others to do the same.
Updated Monday December 23, 2019 at 9:30am ET to include ToTok download statistics from Sensor Tower.