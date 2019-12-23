ToTok video-calling app used standard permissions to spy, according to report
A mysterious video-calling app called ToTok has been removed from Apple and Google app stores after it was determined to be spying on behalf of a Middle Eastern autocracy.
On Sunday, The New York Times reported on the app, warning that it appeared to be a front for government surveillance in the United Arab Emirates. The Times investigated the app and corroborated its findings with a U.S. intelligence assessment that found the app was, in fact, a "spying tool."
The app was downloaded millions of times in regions across the world, with some of that user base coming from within the United States. The app appeared to be a typical messaging app for making free video calls, like Apple's FaceTime.
It received permission to access information on almost all other activity on a user's phone. The app could track location, tap into the microphone, analyze photos and read contacts. In many ways, these are the same types of permissions many apps request to function properly or enable targeted advertising, but in the case of ToTok, the permissions were linked to government surveillance.
ToTok seems to have modeled its name after the popular Chinese-based app TikTok. The Chinese app has tens of millions of users in the U.S., and it has raised concerns among national security officials who are worried about how it collects data.
ToTok is a reminder that seemingly innocuous apps can function as malware to gain a foothold into people's personal devices.
"Our analysis showed that ToTok, simply does what it claims to do and really nothing more," said Patrick Wardle, an online security analyst, in a blog post outlining his research into the app. "Assuming the claims that ToTok is actually designed to spy on its users, this 'legitimate' functionality of the app, is really the genius of the whole mass surveillance operation: no exploits, no backdoors, no malware, again, just 'legitimate' functionality that likely afforded in-depth insight into a large percentage of the country’s population."
ToTok based its video-calling technology on another Chinese app called YeeCall, said Wardle, who was also quoted in The Times report.
ToTok has nearly 10 million downloads worldwide, according to Sensor Tower, an app analytics company. The app had its best month for new users in November with 3 million downloads, according to Sensor Tower.
The app disappeared from Google and Apple app stores by Monday.