Popular Chinese Android app hijacks users’ devices by signing them up for unwanted services and stealing their personal data, security researchers find
- App runs invisible ads, signs users up for paid services and steals private data
- VidMate has been downloaded more than 500 million times around the world
- Had the app’s shady tactics not been discovered by researchers, unsuspecting users could have taken on $170 million worth of unwanted charges
A popular Android app downloaded over 500 million times could be putting users’ privacy at risk.
Security researchers have discovered the Chinese app, called VidMate, hijacks smartphones by running invisible ads, subscribing users’ to paid apps without their consent and exposing personal data.
The shady tactics stand to cost users up to $170 million worth of unwanted charges.
Scroll down for video
Researchers discovered the Chinese app, called VidMate, hijacks smartphones by running invisible ads, installing malicious apps without users’ consent and collecting personal data
WHAT IS VIDMATE?
VidMate is a popular Chinese Android app used for downloading videos and songs from YouTube, Dailymotion, Vimeo and other sites.
It can be downloaded through third-party app stores like CNET’s Download.com.
The site boasts its ability for ‘fast download’ of content and ‘offline sharing’ with other users.
Researchers from Secure-D, the mobile ad fraud division of UK-based mobile monetization firm Upstream, detailed their findings in a post published on Monday.
They discovered that VidMate has a hidden component within the app that delivers hidden ads, generates fake clicks and purchases, installs malicious apps and siphons off users’ private information – all without their knowledge.
As a result, it eats up users’ data allowance and costs them money.
Upstream researchers blocked over 128 million malicious mobile transactions that were attempted by the VidMate app on 4.8 million devices.
Had they not been blocked, they could have cost users a boatload of unwanted charges.
‘Mobile advertising is a multi-billion-dollar industry on the rise and a very fertile ground for fraud,’ Guy Krief, CEO of VidMate, said in a statement.
‘The VidMate example, whereby a single app is responsible for 130 million suspicious transaction attempts over a few months, is cause for great concern. The growing sophistication of disguised malware calls for an ever more vigilant approach.’
Users were primarily targeted in Egypt, Myanmar, Brazil, Qatar, South Africa, Ethiopia, Nigeria, Malaysia and Kuwait.
Researchers first detected suspicious activity from VidMate in 2017, but noticed a spike in transactions late last year, according to BuzzFeed News.
Although it is an Android app, VidMate isn’t listed on the Google Play Store, but it can be downloaded through third-party app stores like CNET’s Download.com.
VidMate was developed by UCWeb, a unit of Chinese tech giant Alibaba, before it was sold off in 2018.
It’s not clear who currently owns VidMate, BuzzFeed noted.
The app allows users to download songs and videos from sites including YouTube, Facebook, WhatsApp, Instagram and Dailymotion, among others.
In addition to hidden ads, VidMate also signs users up for paid services without their consent. Pictured is an example
The app is popular in developing areas where spotty network coverage may make it easier to download rather than stream mobile content.
However, in exchange for that convenience, users are being subject to unwanted charges and data use, Upstream said.
To confirm the suspicious activity, researchers were given access to three smartphones with VidMate installed where users said they’d noticed ‘unexpected data use, overheating and reduced battery even when the device was not in use.’
Researchers analyzed all HTTP traffic coming in and out of the device to see if anything stood out.
Not long after, they noticed hidden and suspicious code being loaded in the VidMate app through a third-party SDK called Mango.
The app not only commits ad fraud by running hidden ads and generating fake clicks for monetization, but it also surreptitiously collects sensitive user data, such as their device’s IMEI address and IP address, without getting a user’s permission first.
It then connects users to an encrypted server owned by Nonolive, a game streaming platform owned by Alibaba, where it secretly directs them to app subscription landing pages and signs them up for paid services.
The suspicious activity could have real consequences for VidMate users, eating up more than 3gb of data per month via hidden activity in the background.
‘That could add up to users paying $100 a year in mobile data charges,’ Upstream said.
‘In markets such as Brazil, this represents nearly half a month’s work paid at a minimum wage.’
In response to Upstream’s findings, VidMate said it would investigate the Mango SDK.
‘No only do we not program such practices into our core app, we have a zero-tolerance policy because it is in VidMate’s interest to protect our against such detrimental practices,’ a VidMate spokesperson told BuzzFeed News.
The company added that it has already ended its relationship with Nonolive following the Upstream report, BuzzFeed said.
Source: Read Full Article