CTM360 Discovers Malicious ‘ClickTok’ Campaign Aimed at TikTok Shop Users

CTM360 has uncovered a new global malware campaign known as “ClickTok,” which disseminates the SparkKitty spyware through counterfeit TikTok shops to pilfer cryptocurrency wallets and deplete funds. This unique spyware trojan is specifically designed to target TikTok Shop users worldwide. The ClickTok operation employs a sophisticated hybrid scam model that merges phishing and malware tactics to mislead buyers and affiliate program participants on TikTok’s expanding e-commerce platform. Within this campaign, TikTok shops have been found to be embedded with SparkKitty spyware, a variant similar to SparkCat, previously identified by Kaspersky. Once installed, the spyware infiltrates the user’s device, accesses the photo gallery, and extracts screenshots that may contain sensitive cryptocurrency wallet credentials.

The ClickTok scam operates by impersonating TikTok’s commercial ecosystem, including TikTok Shop, TikTok Wholesale, and TikTok Mall. Threat actors create fake TikTok websites that closely resemble the official interface, tricking users into believing they are engaging with the legitimate platform. Victims are enticed to log in and make purchases, during which they are instructed to pay using cryptocurrency wallets. After payment is processed, the trojanized app, embedded with SparkKitty spyware, covertly captures sensitive data, including wallet credentials, by reading screenshots and images stored on the device. The attackers employ two primary strategies: phishing websites that lure users to enter login credentials and payment details, and modified TikTok apps that are infected with SparkKitty, capable of deep device surveillance and credential theft. Additionally, ClickTok scammers utilise fake AI-generated videos and Meta ads to broaden their reach, directing users to cybersquatted domains that closely mimic authentic TikTok URLs.