Participating in the Invisible Challenge on TokTok could put users at risk, according to the Nigerian Communications Commission’s Computer Security Incident Response Team (NCC-CSIRT).
According to the commission, it opens up devices to spyware that steals personal data.
Threat actors have reportedly used a viral TikTok challenge called the Invisible Challenge to spread information-stealing malware called the WASP (or W4SP) stealer, according to an advisory from the NCC-CSIRT.
The WASP stealer is an undetected persistent virus hosted on discord with a high probability and critical damage potential.
“Those who click on the link and attempt to download the software, known as ‘unfilter’, are infected with the WASP stealer. Suspended accounts had amassed over a million views after initially posting the videos with a link.” Following the link leads to the “Space Unfilter” Discord server, which had 32,000 members at its peak but has since been removed by its creators.
“Successful installation will allow the malware to harvest keystrokes, screenshots, network activity, and other information from devices where it is installed. It may also covertly monitor user behaviour and harvest Personally Identifiable Information (PII), including names and passwords, keystrokes from emails, chat programs, websites visited, and financial activity. This malware may be capable of covertly collecting screenshots, video recordings, or the ability to activate any connected camera or microphone,” it said.
The Team said some ways to forestall such an attack include avoiding clicking on suspicious links, using anti-malware software on your devices, checking the app tray and removing any apps that you do not remember installing or that are dormant and embracing healthy password hygiene practices such as using a password manager.