Time Out for TikTok: An exploration of the risks presented by the US TikTok ban 

Introduction 

On 13 March 2024, the US House of Representatives approved a bill which demands that the China-based ByteDance divests the popular social media platform TikTok, effectively banning it in the country. The measure was passed with a 352 to 65 vote after being introduced on 5 March 2024 by Republican Mike Gallagher and Democrat Raja Krishnamoorthi. The legislation has been called the Protecting Americans from Foreign Adversary Controlled Applications Act and refers to TikTok as a threat to national security because it is controlled by a foreign adversary. The US claims that the organisation could be forced by the Chinese government to hand over the data of 170 million US users, presenting potential risks to the US. After amendments in the House, the act passed through the Senate and was signed into law by President Joe Biden on 24 April 2024. This meant that ByteDance had 270 days to sell TikTok or face it being prohibited on US app stores and from the internet hosting services which support it. The earliest day the ban can go into effect is 19 January 2025.  

If the ban is enacted, online marketplaces, which includes app stores, must stop TikTok from being available to users in the US. As such, the Apple App Store and Google Play Store must be ready to pull TikTok from their platforms because the bill makes it unlawful to distribute, update, or maintain services controlled by foreign adversaries. This would mean that new users would be unable to download TikTok onto their devices, whilst existing downloads will no longer receive updates. Moreover, fixes for any vulnerabilities or bugs will not be available to American users, likely rendering the app unusable in the future. The law states that those who do continue to make the app available in the US could face fines of up to $5,000 per user accessing it.  

Since this announcement, many US-based TikTok users have expressed frustration with the decision and have begun to look for alternatives as the deadline draws nearer. This report will explore the potential risks that this situation poses, as users begin to look for alternative access to TikTok and take more drastic actions in protest of the ban. Alongside this, it will explore threat actor reactions to the ban and how this may affect various areas across the fraud and cyber landscape. 

Understanding the Risks 

Sideloading  

Since the early days of smart phones, application marketplaces such as Apple’s App Store and Google’s Play Store remain the default and recommended method for users to install apps. However, there are other methods which can be used to install apps onto a device. A technique known as sideloading can be used to install an application from a third-party source, such as an unofficial app store. Whilst unofficial app stores in themselves are not inherently dangerous, they are often used as a conduit for threat actors to deliver malicious applications. This is so they can bypass the security checks which are commonly present on legitimate application marketplaces such as Apple’s App Store and Google’s Play Store.  

With the ban threatening to remove TikTok from legitimate app stores, it is likely that a large number of users will look to sideload the application onto their devices. Compounding this is that large numbers of users will likely not have high levels of technical knowledge. As such, this presents multiple attack vectors for threat actors to use, both in getting users to sideload fake applications, as well as providing potentially misleading advice on rooting or jailbreaking a phone.  

One notable historic example of this occurred after the mobile game ‘Flappy Bird’ was removed from app stores. Reports show how several clone applications were created in an attempt to deceive users into downloading them. A more recent example of such a clone was found on the Google Play store. This clone was used to deliver a version of the MobSTSPY malware, an information stealer. If multiple users begin to look to alternate sources to download a “working” TikTok APK, it is likely that threat actors will begin creating Trojanised versions. Similar approaches have been observed with platforms like Telegram, which had many third-party sites offering “premium” or special versions of the app, only to deliver a stealer or backdoor. One recent example of this includes the FireScam stealer being installed on victim devices and subsequently performing surveillance on the user.  

As is the case with supply and demand, the more individuals who look to sideload TikTok, the more threat actors will look to exploit this and deceive unsuspecting users. If the major app stores are required to remove the app, then it is likely there will be a surge in users going to third-party sites to find the app. Alongside this, while jailbreaking and rooting is not necessary to sideload an app, many users may take this step which can severely weaken the device’s built-in security. Because of this, even if a legitimate TikTok application is installed, many user devices may remain more vulnerable to future threats.  

Whilst many may feel compelled to sideload TikTok, it is vital that users do not take this measure. As such, users should only install applications from legitimate application stores, as is the best security practice. It is likely that as the ban takes shape, further advice will be made available. Users should wait for this guidance before taking any unnecessary measures. 

Phishing and Impersonation 

Phishing is a cornerstone of the threat actor toolkit, remaining one of the most common initial access vectors and accounting for 15% of all breaches. As a prominent app, TikTok has already been used to conduct phishing attacks. This includes a campaign which hijacked Microsoft accounts through an open-redirect vulnerability on the legitimate tiktok[.]com domain. However, with the confusion and uncertainty around the TikTok ban, it is almost certain that threat actors will use this to build effective phishing campaigns. 

With many TikTok users likely being unaware of the exact information and process regarding the ban, a host of new phishing lures will likely emerge. Lures often follow a pattern and exploit some of the main reasons individuals click on phishing emails. Users should remain wary of the following types of phishing emails: 

• Credential-based: emails which harvest credentials that offer access back to TikTok, or threatening users by using pressure tactics to tell them that they need to delete their account by clicking a link. 

• Financial-based: threatening emails claiming users have been caught using the app and asking for money in exchange for not reporting them. 

• Access-based: emails impersonating TikTok which inform users that they must download another app or software to verify the deletion of TikTok, otherwise they may face fines. 

Whilst this is not an exhaustive list, it gives some indication of the techniques which threat actors may look to use and what type of activity to be aware of. 

In 2021, TikTok was reported to be the most impersonated app in Covid-19 related Android scams. These applications were created in an attempt to profit from the Covid-19 pandemic. While this statistic is from 2021, fake apps may become a common threat as attackers look to target individuals. In comparison to sideloading, this is likely to take place on app stores. For example, threat actors may use techniques such as SEO poisoning to get a fake application to appear at the top of the search results. This will be particularly effective once the app is removed, as individuals who are unaware of the ban may mistakenly install the masqueraded application. This type of threat is more likely to be a risk to Android users, with the Google Play store being the main distribution method for Android malware. This is due to the Apple App Store having more stringent protections, meaning malicious apps appearing on it less frequently. 

Phishing and social engineering threats are most effective in situations where a victim is in a confusing and complicated scenario. As such, the current situation surrounding the US TikTok ban presents a unique and powerful scenario for threat actors. US-based TikTok users should remain vigilant about how threat actors may look to target them and avoid installing any applications claiming to be TikTok if the ban takes place. 

Understanding the Public Response 

The Move to RedNote  

As the ban on TikTok nears, many US-based users are increasingly migrating to a Chinese app called RedNote. 

The app’s Chinese name is Xiaohongshu, which translates to Little Red Book in English. However, it is also known as RedNote and has been described as a mix between Instagram and TikTok. It reportedly has around 300 million monthly users and allows users to share content in various formats such as photos, videos, text, and livestreaming. The app is a competitor for TikTok and is popular with young individuals, particularly women, across Mandarin-speaking countries. As more American users create accounts on the platform, it has become one of the most downloaded apps in the US. According to a report by Reuters, more than 700,000 new users have joined Red Note as the organisation looks to capitalise on the sudden influx of individuals joining the platform. TikTok users who have migrated to RedNote have begun using the phrase ‘TikTok refugee’ in posts and hashtags, with around 160,000 posts on the topic being observed.  

RedNote was founded in June 2013 and is owned by Xingyin Information Technology (Shanghai) Co Ltd, which mainly operates its business in China. In June 2018, RedNote received an investment of $300 million from the Alibaba Group and Tencent. More widely, RedNote has reportedly received $918 million in funding, with its investors including Boyu Capital, CITIC Capital, and DST Global.  

However, there have been concerns raised about the safety of using RedNote. Since December 2022, Taiwan’s public officials have been restricted from using the app because of alleged security risks from Chinese software. Additionally, users who do not speak Mandarin must agree to terms and conditions and privacy notices which they cannot read. This has prompted some security concerns, particularly when US-based users may not know what it is they have agreed to. A security researcher on X (formerly Twitter) conducted some analysis of the app’s activity. Through their research, it was found that RedNote communicates with servers in Tencent’s Cloud. Here, the app communicates a large amount of sensitive device information. Most notably, the researcher concludes that the app not only sends significant amounts of device information but is alsocapable of tracking user activity. Whilst this is not uncommon with many applications, much like TikTok, the app is subject to China’s data laws. This means that government authorities could access user data without the same level of privacy protection that is offered in the US. This lack of transparency is something which users should be highly aware of and consider the risks that come with sharing personal and sensitive information with the application.  

The app is also subject to censorship, which is enforced by deleting or shadow banning content which is deemed politically sensitive by the Chinese government. Despite this, many American users have stated that the move to RedNote is a form of protest against their own government for proposing to ban TikTok. However, it is unclear whether the platform will remain in the long-term as a replacement for TikTok. After all, the legislation which Biden passed through the House states that the US government can apply the same process to other foreign-owned services which are deemed hostile. As such, whilst TikTok and ByteDance are specifically named in the upcoming ban, the incoming Trump administration could apply the legislation to RedNote in the future if it believes it to be hostile.  

Options for Fraud 

Users migrating from TikTok will be experiencing the new functionality and interactions as with any new app. This will inevitably be the case with the migration to RedNote, where user will require time to become accustomed to a new user interface (UI) and experience. Users will also need time to understand and adjust privacy controls on the application. This is only exacerbated with a number of these apps functioning exclusively in Mandarin. A move to a new application is always surrounded with risk, and threat actors will likely see this as an opportunity to take advantage of user confusion and language discrepancies. Tactics such as account compromise will be seen as viable, as new users come into the platform with a low privacy and security settings as default. Alongside this, threat actors will seek opportunities to exploit users through social engineering, pivoting off followers and public friend networks on old platforms. As such, threat actors may claim to be other users from these networks now seeking connections on the new platform. 

It is also highly likely that fake accounts will be created quickly using trademarked logos. These would usually be subject to copyright protection but will likely get missed as mainstream companies take time to adapt to monitoring the threat space. Additionally, new processes for ‘takedowns’ would have to be established by those unprepared for this new threat, with new relationships needed for prosecuting and threat mitigation teams within organisations.  

However, the TikTok ban effectively presents fraud risks similar to users migrating to any new social media platform. Unique to this situation is the locations to which many users are migrating; and the lack of understanding many have of the conditions they have agreed to. It will be interesting to observe the role new social media apps such as RedNote may play within the wider fraud landscape. 

Threat Actor Responses 

Cyjax monitors prominent cybercriminal forums and has observed that the response to this issue from threat actors is fairly limited. However, there has been several discussion threads posted throughout January 2025 across prominent cybercriminal forums. For example, a post titled “ww3 soon?” began as a discussion between several users about the general state of the world and a desire to see war break out to alleviate their “boredom”. However, the topic of TikTok was then raised by one user as a potential prelude to all out conflict between the United States and China. The same user also stated that, should TikTok be banned, users will “seek it dangerously” using torrents or VPNs which they believe will act as a “gateway into other dark web avenues“. Within the same thread, other users commented that they thought the ban was a positive thing. Here, users stated that they disliked the thought of the Chinese government having access to their data or influencing their content.  

Another example concerns a thread titled “News: Musk wil buy tiktok? [sic]”, which refers to the recent media reports concerning the US branch of TikTok being sold to Elon Musk. The majority of users commenting on the thread responded negatively to the idea, citing issues with how Musk has managed X (formerly Twitter). One user described the tech billionaire as a “fascist”, whilst another also referenced RedNote as an alternative application to TikTok. 

As of January 2025, outside of these geopolitical discussions, there are currently no major instances where threat actors publicly conversed around the potential tactical implications of TikTok’s sale or shut down. Additionally, there has not been a noticeable change in posts concerning the sharing of stolen TikTok account details or methods to exploit the platform. There has not been a significant rise in the targeting of other platforms, such as RedNote, especially where the TikTok ban has been cited as the rationale for it. 

Conclusion 

The TikTok ban presents a number of practical risks and issues which may present a threat to US users. From those targeting individuals directly to those exploiting the desire to return to the app, it is important that users are aware of the risks posed. This is so there is not a large spike in US victims falling for these phishing and fraud attempts.  

It is important to note that the changing political situation in the US will likely have an effect on the TikTok ban. Cyjax conducted an analysis of the reactions to the Republican victory, however, the TikTok situation is already playing a role in this. The ban is set to take place on 19 January, with Trumps inauguration set to take place a day later on 20 January. Consequently, many are looking to the new leader to solve the situation. Republican congressman Mike Waltz has been quoted as saying “we will put measures in place to keep TikTok from going dark”, though it is not immediately clear how this will occur. ByteDance, TikTok’s parent company, has stipulated that it is ready to disable the application for the US on Sunday. As such, if negotiations are to take place, then they will need to be fast. 

No matter the outcome of the ban, this situation will cause a significant shift in US attitudes and online behaviours. Subsequently, it is an incident which threat actors will be acutely aware of. This is especially the case with the mass move to RedNote, highlighting that for most US citizens the risk of Chinese spying and data theft is negligible. Whilst this potential lack of concern so far appears harmless and jovial, if this continues then threat actors will likely use this to their advantage and target TikTok’s users.