A massive cybersecurity campaign dubbed ClickTok is targeting TikTok Shop users worldwide, combining phishing and malware to steal credentials and deploy SparkKitty spyware. First reported by CTM360 on 4 August 2025, the scam exploits TikTok’s brand trust and affiliate ecosystem, posing urgent risks to consumers and businesses alike.
CTM360’s report reveals a multi-phase scam targeting TikTok Shop buyers and affiliate participants. The attackers use:
- AI-generated TikTok videos and fake Meta ads to lure victims.
- Over 10,000+ spoofed domains mimicking TikTok Shop, Mall, and Wholesale.
- 5,000+ malicious app download sites, often embedded in QR codes.
- Trojanized apps that mimic TikTok’s interface but deploy SparkKitty spyware.
The scam is active in all 17 official TikTok Shop countries, including the US, UK, Indonesia, and parts of Europe and Asia, but is rapidly expanding globally.
MITRE-Inspired Scam Lifecycle
CTM360’s Scam Navigator, modeled on the MITRE ATT&CK framework, maps the ClickTok campaign across seven stages:
- Resource Development: Fake domains, phishing kits, modded apps.
- Evasion: Use of Google OAuth to bypass email validation.
- Trigger & Distribution: AI-generated ads, Telegram/WhatsApp outreach.
- Target Interaction: Fake dashboards, login pages, and storefronts.
- Monetization: Cryptocurrency theft, advance fee scams, PII harvesting.
SparkKitty Trojan: Technical Deep Dive
App Behavior
- Mimics outdated TikTok UI.
- Bypasses login via Google OAuth.
- Injects fake TikTok Shop elements.
- Abuses WebView to harvest credentials.
Network & C2 Infrastructure
- Communicates with hardcoded C2 domain:
https://aa.6786587.top/?dev=az. - Sends Base64-encoded payloads containing campaign IDs and device metadata.
- Functions as a stage-one loader, reporting infections and fetching instructions.
Malware Capabilities
- Gallery scraping: Exfiltrates screenshots and seed phrases.
- Device fingerprinting: Captures OS, device ID, location.
- Image exfiltration: PUT requests to C2 with stolen images and metadata.
“The SparkKitty Trojan is a cross-platform mobile spyware distributed via malicious crypto-themed apps on both official app stores and scam websites,” – Kaspersky, 16 July 2025.
Regional & Global Impact
While TikTok Shop is officially available in select regions, the scam’s global spread shows no geographic boundaries. The use of low-cost TLDs (.top, .shop, .icu) and social engineering via popular platforms like Telegram and WhatsApp makes it especially dangerous in regions with high TikTok adoption but low digital literacy.
Actionable Takeaways for Defenders
- Block known C2 domains like
aa.6786587.topacross firewalls and endpoints. - Monitor for SparkKitty indicators: unusual WebView behavior, Google OAuth misuse.
- Educate users on spotting fake TikTok Shop interfaces and ads.
- Deploy mobile threat defense (MTD) solutions to detect trojanized apps.
- Audit affiliate onboarding processes to prevent impersonation.
- Use DNS filtering to block spoofed domains (.top, .shop, .icu).
- Implement MFA for TikTok-related accounts.
- Scan for phishing kits and modded APKs in app stores and third-party sites.
- Report impersonated TikTok domains to hosting providers and CERTs.
- Collaborate with social platforms to remove fake influencer profiles.
Conclusion
The ClickTok campaign marks a dangerous evolution in social commerce scams, blending phishing, spyware, and brand impersonation to exploit TikTok’s massive user base. With SparkKitty’s capabilities and hardcoded infrastructure, defenders must act swiftly to contain the threat and protect users from financial and data loss.
Source List
- CTM360 Report
- Kaspersky SparkKitty Discovery
- Securelist Analysis
- MITRE ATT&CK Framework
- Cybersecurity News & Alerts
- Cybersecurity Services
