At the end of December, Google and Apple removed the ToTok social messaging app from their marketplaces after U.S. intelligence officials told the New York Times that it was a tool used by the United Arab Emirates government to sneak in. About a week later, Google restored the Android version of the app without explanation, which confused app users and security experts. Now Google has stunned industry watchers again by banishing the app again without saying why. (Apple has kept the iOS version of ToTok out of the App Store.)
In recent days, Play Protect, the Google service that searches Android devices for apps that violate the company's terms of service, has displayed a warning: "This app tries to spy on your personal information, such as text messages and photos, Audio recordings or call log. Even if you've heard of this app or the app developer, this version of the app can harm your device. "
The message shown on the right gives the user the option of either uninstalling or keeping the app (unsafe).
Google has refused to comment on me or any other reporter looking for the reason for this strange series of floats. In a vacuum, commentators have offered all sorts of theories to justify Google.
"Is this where the aluminum foil hat of rampant speculation comes out?" asked information security specialist Ben Montour on Twitter. "UAE-friendly insider on the app approval team? Does it allow back, was caught and was pulled again? "
@Metacurity @Bing_Chris Is the aluminum foil hat of rampant speculation coming to light? UAE friendly insider on the app approval team? Did it allow back, was caught and pulled again?
– Ben Montour (@benmontour), February 20, 2020
I will watch you
ToTok received millions of downloads from Play and the App Store in the months leading up to its first removal. The iOS app alone had more than 32,000 user reviews, most of which were cheap. It is possible that many of the downloads and reviews were part of a UAE sponsored artificial grass campaign to increase the app's visibility, but it is likely that much of the popularity was real. The United Arab Emirates government had already restricted the use of competing apps like Skype and WhatsApp, which made ToTok more attractive to those who communicate with people in the country.
The first moves by Google and Apple took place within a few days of the New York Times article in which the United Arab Emirates government used ToTok to "try every conversation, move, relationship, appointment, tone, and." to track every picture of those who install phones on their computers. "
An independent analysis by MacOS and iOS security expert Patrick Wardle confirmed that the iOS version of ToTok actually captured the entire address book and uploaded it to a server connected to the ToTok domain. This activity only took place when users of the app granted permission to access their contacts. However, granting such rights is an expected and common practice for messaging app users.
"Basically, (app developers) didn't have to add malicious code to the app (on the phone)," Wardle, security researcher at MacOS and iOS business management company Jamf, told me on Thursday. "Simply ban all other apps in the UAE, offer a free alternative, send them via the (state) media / fake reviews and ensure that all in-app communications (news, videos, pictures, etc. etc.) are routed through their servers (without E2E encryption). Once you've identified goals / people of interest, throw / use your iOS / Android 0 days only against those handful of goals. It's really a nice approach … well, from their perspective. "
A Zeroday is an attack that exploits a software vulnerability that is unknown to the developer. Gun-controlled zero-day exploits – that is, they reliably and secretly hack devices and are not easily recognizable – often cost a lot of money. The UAE was suspected of using an expensive iOS zero-day in 2016 to hack a political dissident's iPhone in that country.
"Determined in our innocence"
In a statement released on Thursday, ToTok employees said again that there is "no legitimate reason" for Google and Apple to remove the app from their stores.
"The sudden removal of our app from the two app stores, for which there is no evidence, speaks clearly for the lack of impartiality and fairness of Apple and Google towards the developer community and ultimately towards their and our customers," the officials wrote. "In our innocence, we have put a lot of effort into ensuring that Apple and Google comply with the guidelines and requirements of the past few weeks, and we firmly believe that we will meet all of our technical and contractual obligations."
The statement states that the app is still available in the app stores of the phone manufacturers Samsung, Huawei, Xiaomi and Oppo. ToTok is still available for download from its website.
The removal and reinstatement of ToTok by Google two months ago and the reversal of ToTok this week strengthen Play's reputation as a market that poses a security risk to millions of users. Routine gaming is caught distributing apps that secretly steal cryptocurrency wallets, upload personal photos, and install malware and backdoors.
Google's silence in explaining the availability of ToTock in the game and the company's reluctance to tell users exactly what analysts know about the app only add to suspicion.