A popular Android app that has been downloaded more than 500 million times can compromise user privacy.
Security researchers have discovered that the Chinese app hijacks VidMate smartphones by displaying invisible advertisements, subscribing users to paid apps without disclosing their consent and personal information.
The shady tactics are going to cost users up to $ 170 million in unwanted costs.
Scroll down for video
Researchers discovered the Chinese app, called VidMate, hijacks smartphones by displaying invisible advertisements, installing malicious apps without user permission, and collecting personal information
WHAT IS VIDMATE?
VidMate is a popular Chinese Android app that is used to download videos and songs from YouTube, Dailymotion, Vimeo and other sites.
It can be downloaded through third-party app stores such as CNET's Downloadware.
The site offers the possibility for & # 39; fast download & # 39; of content and & # 39; offline sharing & # 39; with other users.
Researchers at Secure-D, the mobile ad fraud department of the UK-based revenue-generating company, have detailed their findings in a post published on Monday.
They discovered that VidMate has a hidden component in the app that delivers hidden ads, generates fake clicks and purchases, installs malicious apps, and deletes users' private information – all without their knowledge.
As a result, it eats users' data allowance and costs them money.
Upstream researchers blocked more than 128 million malicious mobile transactions attempted by the VidMate app on 4.8 million devices.
If they had not been blocked, they could have cost users a load of unwanted costs.
& # 39; Mobile ads are a billion-dollar industry that is becoming increasingly popular and a very fertile breeding ground for fraud & # 39 ;, said Guy Krief, CEO of VidMate in a statement.
& # 39; The example of VidMate, where a single app is responsible for 130 million suspicious transaction attempts in a few months, is a major concern for us. The increasing sophistication of hidden malware requires an increasingly vigilant approach. & # 39;
Users were mainly targeted in Egypt, Myanmar, Brazil, Qatar, South Africa, Ethiopia, Nigeria, Malaysia and Kuwait.
An example of a hidden ad running in the VidMate app. These ads are invisible to users when they are in the app, but were used to generate fake clicks, causing user data to be lost in the process
Researchers first discovered suspicious activity from VidMate in 2017, but noticed a peak in transactions at the end of last year BuzzFeed News.
Although it is an Android app, VidMate is not listed in the Google Play Store, but can be downloaded through third-party app stores such as CNET's Download.com.
VidMate was developed by UCWeb, a unit of Chinese tech giant Alibaba, before it was sold in 2018.
It is not clear who currently owns VidMate, BuzzFeed noted.
The app allows users to download songs and videos from YouTube, Facebook, WhatsApp, Instagram and Dailymotion, among others.
In addition to hidden ads, VidMate also signs users for paid services without their permission. Shown is an example
The app is popular in development areas where spotty network coverage makes it easier to download mobile content instead of streaming.
However, in exchange for that convenience, users are exposed to unwanted costs and data usage, Upstream said.
To confirm suspicious activity, investigators were given access to three smartphones with VidMate installed, where users said they noticed & # 39; unexpected data usage, overheating, and a reduced battery even when the device was not in use & # 39 ;
Researchers analyzed all the HTTP traffic that came in and out of the device to see if something noticed.
Not long afterwards, they noticed that hidden and suspicious code in the VidMate app was loaded via a third-party SDK called Mango.
The app not only commits ad fraud by running hidden ads and generating fake clicks to generate revenue, it also collects secretly sensitive user data, such as the device's IMEI address and IP address, without first obtaining the user's permission. to get.
Users are then connected to an encrypted server from Nonolive, a gaming platform from Alibaba, where it secretly guides them to landing pages of app subscriptions and signs them for paid services.
The suspicious activity could have real consequences for VidMate users, who consume more than 3 gb of data per month through hidden background activity.
& # 39; That could be up to users who pay $ 100 a year in mobile data costs & # 39 ;, Upstream said.
& # 39; In markets such as Brazil, this represents almost half a month's work at a minimum wage. & # 39;
In response to Upstream's findings, VidMate said it would investigate the Mango SDK.
& # 39; Not only do we not program such practices in our core app, we have a zero tolerance policy because it is in VidMate's interest to protect us against such harmful practices, & # 39; told a VidMate spokesperson to BuzzFeed News.
The company added that it has already ended its relationship with Nonolive after the upstream report, BuzzFeed said.
. [TagsToTranslate] Dailymail