Challenges on social media are as old as the phenomenon of social media itself, and they seem to rapidly get out of hand and then blow over. The Cinnamon Teaspoon, the Detergent Pod, the Bird Box or the #InMyFeelings Challenges are just a few of the attempts to gain a moment of Internet glory at the expense of physical security. You probably get why we’re used to keeping a frowny eyebrow on the latest and greatest trends in social media.
Enter today’s trend, the Yearbook AI challenge – a new contender on the “viral” market that caters to people who want to know how they would look in a 1990s yearbook photo. We took a closer look at the risks users could face when trying to complete the challenge.
The EPIK - AI Photo Editor is the main app people use to complete the challenge. We investigated what it does from a security standpoint and whether people expose themselves to risks when downloading and using it. The chosen platform for this analysis was Android, as it’s the most widely spread mobile operating system and it also accepts application installation from third-party sources.
Our initial research on EPIK reveals that the app does not list or ask for any permissions unrelated to its functionality and is safe to use from a security point of view.
While there is no indication that EPIK does anything it shouldn't, users should read the Terms and Conditions. One paragraph contains important information about what the company does with the collected information.
You can find these details under "PERSONAL INFORMATION WE SOLD OR DISCLOSED FOR A BUSINESS PURPOSE" in the official terms and conditions. Some of that data include your real name, alias, postal address, unique personal identifier (such as a device identifier, cookies, beacons, pixel tags, mobile ad identifiers and similar technology), phone number, email address, online activity (including browsing and search history) and more.
Just like any cool app, this one has gained the attention of cyber-criminals as well. Threat actors will often taint real apps, repackage them, and make them available from third-party websites. These cloned applications are called evil twins. This is more of a problem on Android, which is the only platform that allows users to sideload apps, presenting a very different set of security challenges.
Many popular apps are not free, and users must pay for the premium features. That's why the Internet is full of fake cracked apps that promise a complete experience. In reality, attackers could package dangerous malware alongside the official app.
We identified hundreds of similar EPIK samples distributed outside of official mobile markets - a dangerous and highly not recommended trend in itself. Around 20 percent of these samples were signed with a leaked certificate that has been used by a prolific cybercrime ring to install information-stealing malware in past campaigns.
Other samples were packed with np manager, which is used by threat actors in many other apps and detected by security solutions as riskware.
The map below shows the geographic distribution of victims using evil-twin versions of the EPIK – AI Photo Editor:
While viral treads can be a fun and engaging way to connect with others online – (at least when they don’t incite reckless behavior in the real world or personal data disclosure in the cyber-realm), they also come with several security problems.
Here are some tips to help you take part in these challenges with minimal risks:
Many thanks to Albert Endre-Lazlo for his research.