In late December, Google and Apple removed the ToTok social messaging app from their marketplaces after US intelligence officials told The New York Times it was a tool for surreptitious spying by the United Arab Emirates government. About a week later, Google reinstated the Android version of the app with no explanation, a move that confounded app users and security experts. Now Google has once again baffled industry watchers by once again banishing the app without saying why. (Apple, meanwhile, has continued to keep the iOS version of ToTok out of the App Store.)
Over the past few days, Play Protect, the Google service that scans Android devices for apps that violate the company’s terms of service, started displaying a warning that says: “This app tries to spy on your personal data, such as SMS messages, photos, audio recordings, or call history. Even if you have heard of this app or the app developer, this version of the app could harm your device.”
The message, displayed to the right, then gives the user the option to either “uninstall” or “keep app (unsafe).”
Google has declined to comment to me or any other reporters seeking the reason for this strange series of back-and-forth moves. In the vacuum, commentators have offered all kinds of theories for Google’s rationale.
“Is this where the tinfoil hat of rampant speculation comes out?” asked information security professional Ben Montour on Twitter. “UAE friendly insider on app approval team? Allowed it back, was caught and it was pulled again?”
— Ben Montour (@benmontour) February 20, 2020
I’ll be watching you
In the months leading up its initial removal, ToTok received millions of downloads from Play and the App Store combined. The iOS app alone had more than 32,000 user reviews, most of them favorable. It’s possible many of the downloads and reviews were part of a UAE-sponsored astroturf campaign designed to increase the favorable visibility of the app, but it’s likely much of the popularity was genuine. The UAE government had already restricted use of rival apps, such as Skype and WhatsApp, a move that made ToTok more appealing to those communicating with people inside the country.
The initial removals by Google and Apple came within days of the New York Times article, which said the UAE government was using ToTok to “try to track every conversation, movement, relationship, appointment, sound, and image of those who install it on their phones.”
An independent analysis by macOS and iOS security expert Patrick Wardle confirmed that the iOS-version of ToTok did in fact collect the entire address book and upload it to a server connected to the ToTok domain. That activity happened only when users gave the app permission to access their contacts, but granting such rights is an expected and standard practice for those using messaging apps.
“Basically [app developers] didn’t have to add any malicious code to the app (on the phone),” Wardle, who is a security researcher at the macOS and iOS enterprise management firm Jamf, told me on Thursday. “Just ban all other apps in the UAE, offer a free alternative, push it via the (state) media/fake reviews and make sure all in-app comms (msgs, videos, images, etc. etc.) are routed through their servers (with no E2E encryption). Then once you identify targets/ppl of interest, you throw/use your iOS/Android 0days against just those handful of targets. It’s really a lovely approach… well, from their point of view.”
A zeroday is an attack that exploits a software vulnerability that’s unknown to the developer. Weaponized zeroday exploits—meaning they reliably and stealthily hack devices and aren’t easily detected—often cost large sums of money. The UAE has been suspected of using an expensive iOS zeroday in 2016 in an attempt to hack the iPhone of a political dissident in that country.
“Resolute in our innocence”
In a statement published on Thursday, ToTok officials said once again that there’s “no legitimate reason” for Google and Apple to remove the app from their stores.
“The sudden removal of our app from the two app stores, in the absence of any evidence, speak clearly about the lack of impartiality and fairness of Apple and Google towards the developer community and, ultimately, towards their and our customers,” the officials wrote. “Resolute in our innocence, over the past few weeks, we have taken great pains to ensure adherence to Apple and Google policies and requirements, and we are firmly convinced of being in technical and contractual compliance with all of our obligations.”
The statement said that the app continued to be available in app stores provided by phone makers Samsung, Huawei, Xiaomi, and Oppo. ToTok remains available for download on its website.
Google’s removal and reinstatement of ToTok two months ago, and its reversal this week, reinforce the reputation of Play as a market that poses a security risk to millions of users. Play routinely is caught distributing apps that surreptitiously steal cryptocurrency wallets, upload personal photos, and install malware and backdoors.
Google’s silence in explaining ToTock’s back-and-forth availability in play and the company’s reticence in telling users exactly what its analysts know about the app only adds to the suspicions.