S0558: Tiktok Pro
Tiktok Pro is spyware that has been masquerading as the TikTok application.[1]
Analyst context for executives and security teams
Tiktok Pro is an Android spyware entry in ATT&CK that masquerades as the TikTok application. Its practical significance is mobile trust abuse: a familiar app name can lower user suspicion while the software attempts discovery, sensor capture, local data collection, SMS/control activity, and persistence-related behaviors. For leaders, this is a reminder that mobile risk is not only device loss or phishing; unmanaged or weakly governed Android app installation can create exposure of conversations, location, contacts, SMS, files, and business context on personal or corporate devices.
Executive priority
Prioritize this as a mobile governance and evidence problem: can the organization prove which Android apps are installed on managed devices, what permissions they hold, whether high-risk permissions are justified, and whether app identity is validated against trusted sources? The business risk is strongest where mobile devices access corporate identity, messaging, executive communications, field operations, or sensitive locations. This object supports investment decisions around mobile device management, app allowlisting/reputation review, permission governance, mobile threat detection, and incident response procedures for potentially compromised phones.
Technical view
ATT&CK lists Tiktok Pro as Android spyware and relates it to behaviors including GUI input capture, software/file/system discovery, audio/video/screen capture, location tracking, local data collection, SMS control and SMS/call/contact collection, scheduled jobs, broadcast receivers, foreground persistence, Unix shell use, icon suppression, file deletion, and masquerading through legitimate names or locations. SOC and IR teams should validate whether mobile telemetry can expose suspicious app identity, package metadata, requested and granted permissions, foreground service behavior, broadcast receiver registration, scheduled work, SMS/content provider access, sensor access, and attempts to hide the launcher icon. Because ATT&CK provides no official detection text for this malware, detections should be behavior- and policy-driven rather than dependent on this software name alone.
Likely telemetry
- Android app inventory, package name, signing certificate, installer source, app label, icon, and version metadata
- Requested and granted Android permissions, especially microphone, camera, location, SMS, contacts, call log, storage, and accessibility-like data access where available
- Mobile device management or enterprise mobility logs for sideloading, unknown-source installs, app removals, and compliance state
- Mobile threat defense or endpoint telemetry for foreground services, scheduled jobs, broadcast receivers, hidden launcher icons, and suspicious background execution
- Sensor and privacy indicators or logs for microphone, camera, screen capture, and location access where the platform and tooling expose them
Detection direction
- Do not rely only on the displayed app name; validate package identity, signing certificate, installer source, and whether the app is masquerading as a legitimate TikTok application.
- Tune for combinations of risk signals: social-media-themed app identity plus excessive permissions, sensor access, SMS/contact/call-log access, location access, scheduled execution, broadcast receivers, or hidden launcher behavior.
- Review false positives carefully because legitimate social, messaging, navigation, and productivity apps may request some sensitive permissions; the decision point is whether permissions and behavior are appropriate for the app’s expected business use.
- Validate whether managed Android telemetry can see sideloaded apps and apps installed outside approved stores; this is a common blind spot for BYOD and lightly managed fleets.
- Use the related techniques to build behavior-based hunts for discovery, capture, persistence, collection, and masquerading behaviors rather than a single malware-family signature.
Mitigation priorities
- Enforce mobile app governance: approved app stores, app allowlisting or blocklisting, and review of apps that mimic trusted brands.
- Use MDM/UEM policy to restrict sideloading, require device compliance, and inventory installed Android applications on devices that access corporate resources.
- Apply least-privilege mobile permission practices by challenging unnecessary microphone, camera, location, SMS, contacts, call log, and storage access.
- Require conditional access or equivalent controls so noncompliant or unmonitored mobile devices cannot access sensitive business systems.
- Prepare mobile IR playbooks covering isolation, evidence preservation, credential reset decisions, app removal, device re-enrollment, and user notification requirements.
Analyst notes and limits
The most decision-relevant context comes from the relationship set: Tiktok Pro is mapped to a broad set of Android mobile techniques spanning masquerading, discovery, capture, collection, SMS activity, persistence, and hiding behavior. This makes it useful for testing whether a mobile security program can detect and respond to spyware-like behavior on Android devices, especially where corporate identity or communications are accessible from mobile endpoints.
The supplied ATT&CK object has no official detection text, no ATT&CK tactics listed, no aliases, and only a short malware description plus one external research reference. This take does not assert active exploitation, attribution, prevalence, or guaranteed detectability. Local conclusions require organization-specific mobile telemetry, app inventory, device management coverage, legal/privacy constraints, and forensic evidence.
Tiktok Pro
Tiktok Pro is spyware that has been masquerading as the TikTok application.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1417.002 | GUI Input Capture Sub-technique | Tiktok Pro can launch a fake Facebook login page.CitationZscaler TikTok Spyware |
| Mobile | T1430 | Location Tracking | Tiktok Pro can track the device’s location.CitationZscaler TikTok Spyware |
| Mobile | T1429 | Audio Capture | Tiktok Pro can capture audio from the device’s microphone and can record phone calls.CitationZscaler TikTok Spyware |
| Mobile | T1603 | Scheduled Task/Job | Tiktok Pro has contained an alarm that triggers every three minutes and timers for communicating with the C2.CitationZscaler TikTok Spyware |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | Tiktok Pro has registered for device boot, incoming, and outgoing calls broadcast intents.CitationZscaler TikTok Spyware |
| Mobile | T1623.001 | Unix Shell Sub-technique | Tiktok Pro can execute commands .CitationZscaler TikTok Spyware |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Tiktok Pro has masqueraded as TikTok.CitationZscaler TikTok Spyware |
| Mobile | T1636.004 | SMS Messages Sub-technique | Tiktok Pro can collect SMS messages from the device.CitationZscaler TikTok Spyware |
| Mobile | T1582 | SMS Control | Tiktok Pro can send SMS messages.CitationZscaler TikTok Spyware |
| Mobile | T1513 | Screen Capture | Tiktok Pro can take screenshots.CitationZscaler TikTok Spyware |
| Mobile | T1418 | Software Discovery | Tiktok Pro can obtain a list of installed applications.CitationZscaler TikTok Spyware |
| Mobile | T1426 | System Information Discovery | Tiktok Pro can check the device’s battery status.CitationZscaler TikTok Spyware |
| Mobile | T1420 | File and Directory Discovery | Tiktok Pro can list all hidden files in the `/DCIM/.dat/` directory.CitationZscaler TikTok Spyware |
| Mobile | T1541 | Foreground Persistence | Tiktok Pro has shown a persistent notification to maintain access to device sensors.CitationZscaler TikTok Spyware |
| Mobile | T1533 | Data from Local System | Tiktok Pro can collect device photos and credentials from other applications.CitationZscaler TikTok Spyware |
| Mobile | T1636.002 | Call Log Sub-technique | Tiktok Pro can collect the device’s call logs.CitationZscaler TikTok Spyware |
| Mobile | T1628.001 | Suppress Application Icon Sub-technique | Tiktok Pro can hide its icon after launch.CitationZscaler TikTok Spyware |
| Mobile | T1630.002 | File Deletion Sub-technique | Tiktok Pro can delete attacker-specified files.CitationZscaler TikTok Spyware |
| Mobile | T1636.003 | Contact List Sub-technique | Tiktok Pro can access the device's contact list.CitationZscaler TikTok Spyware |
| Mobile | T1512 | Video Capture | Tiktok Pro can capture photos and videos from the device’s camera.CitationZscaler TikTok Spyware |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 0243f770db4c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler TikTok Spyware
S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.
Open source URL -
[2]
mitre-attack S0558Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.