Suspicious third-party apps monetize fake engagement on TikTok

An industry of apps that offer likes and follows on TikTok is operating in the Google Play Store, but they come with a price

(Source: @KaranKanishk/DFRLab)

TikTok, the widely popular Chinese short-form video sharing platform, has attracted an array of third-party apps offering engagement-boosting services. The DFRLab found more than 50 apps that were offering engagement services, apps that are prevalent in the Google Play Store.

TikTok is a short video sharing platform owned by Beijing company ByteDance. The app is built with a collaborative functionality wherein users can splice in other user’s videos on the platform into their own; this functionality is one reason that TikTok has achieved significant popularity among teens. Similar to the now-extinct short-form video platform Vine, TikTok is known for brisk videos with short runtimes. Unlike Vine and other engagement-focused platforms such as Snapchat, however, interactions on TikTok are a little less intuitive as it is “less reliant on a simple follower model, instead employing assertive and opaque recommendations,” according to The New York Times.

The rise of a marketplace for inauthentic engagement for TikTok is similar to boosting tools on other social media platforms. A number of apps for fake engagement available in Google’s app market provide purchasable likes and followers for TikTok accounts, such as 10 likes for $1.00. Other fake engagement apps provide the same product for a user’s time or data, such as getting likes for clicking on ads.

These apps raise two primary concerns. First, their activity could be used to make social media accounts appear to be more popular or legitimate than they actually are. This sort of gamification of algorithms to gain popularity is common and can be seen in everything from hashtag campaigns to impersonations of high profile public figures. Second, these apps introduce data privacy issues in their demand for broad access to a user’s phone permissions and personal information with little transparency on its collection, retention, and usage.

In this case, the DFRLab found a number of engagement-boosting apps that could collect more personal information than claimed. The apps collecting the data offered engagement in return for a user’s phone permissions and clickthroughs on advertising links.

The case showed that inauthentic engagement is not specific to any single platform and often requires a mutually reinforcing ecosystem across social media.

Apps and app stores

Smartphones operate by an app-based ecosystem. Apps can have a discrete, isolated user interface that keeps their operations within the app itself. Other apps, such as those uncovered in this investigation, interact — or even demand access to — another app, which creates an ecosystem of apps dependent on other apps. Put differently, using one app might require that you give it permission to download or upload data to another. For example, to upload a photo to Instagram, a user has to grant Instagram permission to access the phone’s photo library.

App stores are where a user can download a range of apps. Some companies, such as Apple, have strict requirements for what apps are available in their app stores. Other companies’ app stores, such as Google Play Store, have historically been a more unregulated marketplace, allowing a broader array of apps to be made available in the stores. That said, even these less regulated stores are not regulation free, as is evident by Google’s recent removal of upwards of 600 apps from its store, including some of the apps analyzed here.

Social media users looking to build an audience quickly on platforms with intense competition for engagement often find themselves tempted by dubious apps. The Google Play Store is one place to find apps that perform this inauthentic boosting function.

While this case was focused on TikTok, selling engagement for profit is not limited to only TikTok, as other platforms such as Facebook are also susceptible to paid-engagement operations.

Bartering likes for personal information

Engagement on TikTok comes in the form of likes, followers, and comments. Higher engagement acts as a social endorsement cue, signaling to users that the content is popular and possibly more worthwhile.

These apps typically offer a guaranteed increase in engagement, such as likes or follows, in exchange for money or personal data. Some of them also bring in revenue from ads and are easily downloadable in the Google Play Store. The DFRLab has put together a spreadsheet of some of the fake engagement apps currently available in the Google Play Store.

Artificial TikTok engagement-boosting apps in the Google Play Store. (Source: Google Play Store/archive)

Many of the apps had similar names, usually incorporating some form of “get fans,” “get likes,” or “get fans and likes,” and always asking for broad permissions.

The permissions required by one of the fake engagement apps included installing apps, and data from user’s Internet. (Source: PlayStore/archive)

The DFRLab examined one app, “Booster for TikTok, Followers & Likes For tiktok,” that was removed from the Google Play Store on February 20, 2020. The app’s terms of service required a user to grant extensive access and control over their personal data, including full access to the user’s contact list and modifying contents on user’s phone.

Most of the permissions were unrelated to app’s primary function, indicating overly broad collection. Google’s policy around data usage explicitly restricts developers to collecting only that data that is “directly related to providing and improving the features of the app (e.g., user anticipated functionality that is documented and promoted in the app’s description).” Though the apps requested this information, it was unclear whether they actually collected any or all of the data and, if so, how it was used.

Under the app’s contact info, a single email address was listed with no company information or name: sudoking410@gmail.com. The DFRLab sent an email inquiry to the email address regarding how the app uses the data but received no reply.

A reverse look up of the email address, however, led to the blog page https://callerscreendeveloper.blogspot.com, which also does not provide information on who created the app.

Missing or copy-and-pasted privacy policies

While diving into the fake engagement app ecosystem, the DFRLab found a privacy policy loophole: several apps in the Google Play Store used copy-and-pasted policies that lacked clearly labeled permissions required by the app, if they even had a privacy policy at all.

One of the apps, “Get Tiko Fans For Musically — Followers & Likes,” had no privacy policy. By clicking on privacy policy link on Play Store, the user was directed to a blogpost saying “We Will Update Soon.” The app had been downloaded upwards of 35,000 times at the time of analysis. The DFRLab found 69 apps that had the same “We Will Update Soon” privacy policy.

One of the TikTok apps with missing a privacy policy. (Source: Google Play Store)

Other artificial engagement apps for TikTok had identical text in their privacy policies, including typos to other unrelated apps. These apps — including those detailed below — had copy-and-pasted privacy policies that were not uniquely tailored for each app. This app network has since been removed from the Google Play Store, but other apps that use the same techniques remain in the marketplace.

Privacy policies of several of the apps included verbatim text and the same mistakes. (Source: Booster for TikTok, Followers & Likes for tiktok/archive, left; Sax Video Player/archive, right)

After matching the exact same policy with other apps, the DFRLab found 36 apps that used the same generated policy with no change in app permissions. The text used here seems to have been generated from privacypolicytemplate.net.

The policy generator privacypolicytemplate.net produced the same text for a DFRLab-created dummy example, “Fraud App.” (Source: KaranKanishk/DFRLab)

The same text from the policy generator also appeared on the blog for three of the apps that used it, including the one under analysis (Booster for TikTok, Followers & Likes For tiktok). The blog post for another app, “Sax video call guide, sax chat guide,” indicated that the blog may have been automated, as the post included html code copy-and-pasted from the app’s about section.

The privacy policy for one of the apps on callerscreendeveloper.blogpost.com. (Source: SaxVideoPlayer/archive)

Drafting a clear and honest privacy policy specific to the app is vital for transparency. In 2017, Google announced that it would take down any app without a privacy policy. Google also has a policy against deceptive behavior but has not revealed its criteria for assessing third-party apps’ privacy policies, therefore it is unknown whether a misleading or incomplete privacy policy such as the one identified above would fall under such scrutiny.

What fake engagement looks like on TikTok

While sifting through the accounts involved in engagement-boosting schemes, the DFRLab identified a target profile for likes on TikTok that appeared to have been used by one of the fake engagement apps to increase followers.

Among the profile’s followers were multiple accounts with similar alphanumerical handles. The accounts were also completely anonymous, with no identifying information, profile pictures, or posts on their timeline. These indicators are common, but not conclusive, signs that an account is likely a bot or otherwise engaged in inauthentic behavior. These accounts typically keep their profiles private, thereby masking their activity and concealing the arbitrary likes they gave out.

For example, the account @nurdanoymen_56751 hid its likes and never posted pictures or videos. Its alphanumerical handle was also likely generated by automation software.

Account nurdannoymen_56751 showed no profile activity. The disproportionate ratio of following to followers, plus the absence of likes, indicated an inauthentic account. (Source: TikTok)

Many of the accounts that followed it displayed similar characteristics of inauthentic profiles.

Accounts that followed nurdannoymen_56751 and that had alphanumerical handles, usernames with numbers, and no profile photos. (Source: TikTok)
Some of the accounts replicated same username “TikToker,” while maintaining alphanumeric handles and no profile photos. (Source: TikTok)

Some of the accounts were more personalized, featuring stolen profile pictures replicated across profiles.

Accounts with the same profile pictures and distinct user IDs. (Source: TikTok)

Stolen pictures often serve as one of the indicators of spotting a bot or sock-puppet accounts. The DFRLab has a methodology for spotting inauthentic activity on Twitter. Some of the methodological approaches also apply to other platforms, but to denote any account as a “bot,” the analysis requires more than three indicators.

TikTok’s policies on engagement-boosting apps

TikTok does not have a specific policy for engagement-boosting apps. It does, however, have policies against misrepresentation, though it is unclear whether those policies extend to false engagement from third-party apps.

The case shows that inauthentic activity on one platform is often supported by infrastructure elsewhere in the information ecosystem.

As TikTok captivates the newest generation of social media users, the platform policies on inauthentic activity and data privacy merit further scrutiny. While other platforms, such as Instagram, have taken steps to eliminate fake followers. TikTok seems to be unaware of — or, at least, unconcerned with — third-party apps hosted in the Google Play Store that skirt regulations and that monetize engagement and influence on the platform for commercial gain.


Kanishk Karan is a Research Associate with the Digital Forensic Research Lab.

Follow along on Twitter for more in-depth analysis from our #DigitalSherlocks.