Flappy Bird, Malware, and TikTok2025-02-01

Amid the discussion of data security, surveillance, and TikTok in the US recently, there's an aspect of the US ban that hasn't received enough attention: that it creates a huge opportunity for bad actors to spread malware to desperate users willing to seek out alternative download methods. I talked about it with Thomas Germain at the BBC for a piece that came out yesterday, For sale: An iPhone with TikTok installed, $50,000. Thomas does a great job of summarizing the situation. Hopefully it helps to put it on more people's radars (especially kids and their parents). Here's a little more about why we're in this position:

The United States does not have a big, centralized internet censorship apparatus like China, Iran, or Russia (this is a good thing). Instead of technical interventions, our TikTok ban is implemented primarily through market-based restrictions. Most publicly, this means app stores are required to remove TikTok, preventing users from downloading it. When Trump delayed the ban by 90 days, other companies involved, like Akamai and Oracle, restored their back-end services but Google and Apple held steady -- the app is still unavailable to download. One reason for this may be because of the way they interpret the letter of the law, fearing steep fines if the president changes his mind. Another may be that they're two of the American companies (Google in particular) who stand the benefit most from the ban as their own apps and services capture former TikTok users. Whatever the reason, at the moment TikTok works, but only if you already have it on your phone.

In 2014, the simple but difficult mobile game Flappy Bird went viral. Millions of people downloaded it from the App Store and Google Play, tapping the screen to navigate a little bird through a series of obstacles. Then its developer, disturbed by reports that the game proved addictive for so many people, took it down. Sensing an opportunity, many people started selling their used phones on eBay with a considerable markup, advertising that it had Flappy Bird installed. Then came the malware. High demand combined with sudden scarcity means desperate people will look for workarounds. In this case, it meant falling for imposter apps in the app stores and seeking out sketchy unofficial downloads on the web. One of the most common forms of malware took control of users' phones to send premium text messages (which appear on the owner's bill) and hiding warning notifications.

TikTok is far more popular than Flappy Bird ever was, and far more integrated into its users daily lives. Flappy Bird was a viral success for a few weeks, while questions about the "addictive" nature of TikTok have been central to discourse about the platform for years. TikTok is part of people's day-to-day communication and socialization in a way that Flappy Bird never was. And unlike Flappy Bird, TikTok is subject to network effects: the more you use it, the more connections you form, the harder it is to leave it behind. Anyone who's ever tried to quit one of these big social media platforms can tell you it's easier said than done. For young people in particular, it's probably the first such platform they've come to rely on -- and now it's suddenly gone.

All of this is to say, if people were willing to cut corners and take risks to get Flappy Bird, they'll definitely do the same for TikTok, and you can bet a range of bad actors are primed to take advantage of desperate users just trying to regain access to networks they've spent years building. There are settings in Android phones to disable the installation of apps from "unknown sources," and the iOS App Store tightly controls such downloads by default, but there are workarounds for both devices, and instructions for doing so are likely already spreading.

This is one of the challenges with trying to ban an app through app store restrictions, but it's important to recognize that while there are major downsides to this approach, it is still less harmful and oppressive than erecting a centralized censorship apparatus that uses ISP-level filtering, deep packet inspection, or other such techniques. We don't want a "Great Firewall of America" to censor content before it gets to Americans. The law being used to ban TikTok is a blunt, destructive instrument that gives the president extraordinary power to ban entire platforms full of Americans' speech without disclosing any evidence. It does nothing to address the root causes of algorithmic influence or data security, which are both almost entirely unregulated at the federal level. As a result, we let foreign influence go largely unchecked on other platforms and, if TikTok were to divest, as an American company it would then ironically be legal for it to sell user data to China.

Read For sale: An iPhone with TikTok installed, $50,000 by Thomas Germain at BBC.com.