TikTok ‘Invisible Challenge’ has over 3 billion views — and hackers love it

How to delete TikTok
(Image credit: Shutterstock)

Hackers are always coming up with clever ways to exploit the latest trends, and the latest example leverages a popular TikTok challenge to trick unsuspecting users into installing malware on their devices.

If you haven’t heard about the Invisible Challenge on TikTok yet, it involves applying the invisible body filter which uses your body’s skin tone like a green screen. If there’s a neutral-colored background in your video and you have the filter enabled, it can make you look almost invisible except for a silhouette around the outline of your body.

Even though the invisible body filter has been available on TikTok for several years now, some content creators have begun using it to hide their bodies while filming in the nude. As you might expect, some people have started to wonder whether the filter could be removed so that they could see what’s hiding underneath it.

Hackers were quick to jump at the idea and they have now begun offering special “unfiltering” software to remove the original filter according to BleepingComputer. However, this software is completely fake and instead of removing the invisible body filter from TikTok videos, it actually installs the WASP stealer malware which steals passwords, accounts and even cryptocurrency.

Exploiting the Invisible Challenge TikTok trend

According to a new report from the cybersecurity firm Checkmarx, two TikTok users posted videos on the platform that have been viewed more than 1 million times in order to promote an app capable of removing the invisible body filter. They also included a link in their bios on the platform to a Discord server called “Space Unfilter” where others could download the app.

If a user does decide to click on the link and join the Space Unfilter Discord server, they are greeted with NSFW videos uploaded by the hackers behind this campaign that allegedly show how their software is able to remove the TikTok filter in question. A private message is also automatically sent by a bot account called “Nadeko” that asks users to star the GitHub repository where the malicious app is hosted.

These private messages seemed to serve their purpose as the repository (where all of the project’s files are stored) quickly became a trending GitHub project. Once downloaded on a victim’s smartphone or computer, a script inside the repository installs a malicious Python package containing the WASP stealer malware.

At this time, it appears that this campaign is still ongoing. As Checkmarx points out in its report, whenever the Python security team deletes the hacker’s malicious packages, they improvise and use a different name. Fortunately though, the Unfilter Space Discord server has been taken offline and the GitHub repository has been replaced with “Nitro generator” files.

A hand holding a phone securely logging in

(Image credit: Google)

Hackers and other cybercriminals love to use trends — especially ones that create a sense of urgency — to their advantage. We saw this with Queen Elizabeth II earlier this year and with fake cures for the coronavirus during the beginning of 2020. This is why you always need to be careful when clicking on links whether it be on social media or in your inbox.

If something seems too good to be true, it probably is, and having your identity stolen or your devices infected with malware just isn’t worth the risk. To avoid falling victim to these kinds of scams, you should look out for incorrect spelling and poor grammar, as they are both major red flags. At the same time, you want to avoid opening messages or emails from unknown senders, especially when they have a blank subject line.

Installing one of the best antivirus software suites on your computer and one of the best Android antivirus apps on your smartphone can help prevent your devices from becoming infected with malware, but cybercriminals can still take over your accounts through phishing. If a website or app asks you to login even though you already are, this could be a sign you’re actually on a phishing page or a hacker is using an overlay to steal your credentials.

As for the Invisible Challenge on TikTok, you shouldn’t take videos or pictures of yourself that you wouldn’t want others to see in the first place. Even if you’re using a filter, exposing yourself online can come back to haunt you in the future.

Next: A new bill in Congress could ban TikTok in the U.S.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.