Secure-D exposes suspicious Android app with 500 million downloads
Upstream, a mobile technology company, has unveiled that the popular Android application VidMate triggers suspicious background activity. Hidden software within the app delivers invisible ads, generates fake clicks and purchases, installs other suspicious apps without consent and collects personal users’ information. Consequently, it depletes users’ data allowance and brings unwanted charges.
With over 500 million downloads reported, VidMate is a popular Android application for streaming and downloading videos and songs from services such as Dailymotion, Vimeo and YouTube. It is not available in the Google Play Store but is distributed through third-party app stores like CNET or Uptodown. According to publicly available information, VidMate was developed by a subsidiary of UC Web, which is owned by Chinese conglomerate Alibaba.
Over a recent period Upstream’s security platform, Secure-D, detected and blocked nearly 130 million suspicious mobile transactions initiated by VidMate. These transactions originated from close to 5 million unique mobile devices across 15 countries. If not blocked, they would have subscribed users to premium digital services potentially costing them up to $170m (€152m) in unwanted charges.
Guy Krief, CEO of Upstream, commented: “Mobile advertising is a multi-billion dollar industry on the rise and a very fertile ground for fraud. The VidMate example, whereby a single app is responsible for 130 million suspicious transaction attempts over a few months, is cause for great concern. The growing sophistication of disguised malware calls for an ever more vigilant approach. In the fight against digital fraud ongoing technological innovation is key”.
Most of the suspicious activity, which is still ongoing, was largely centred in 15 countries. 43 million of the suspicious transactions flagged by Secure-D are coming from devices in Egypt, 27 million from Myanmar, 21 million from Brazil, 10 million from Qatar, and 8 million from South Africa. Among the top affected markets are also Ethiopia, Nigeria, Malaysia and Kuwait. These are countries where digital payments via mobile airtime are common and often the only way to make financial transactions, as most people are unbanked.
The Secure-D lab tests also revealed that VidMate consumes battery life and bandwidth, eating up more than 3GB of data per month. That could add up to users paying $100 (€89.5) a year in mobile data charges. In markets such as Brazil, this represents nearly half a month’s work paid at minimum wage.
Finally, the Secure-D investigation found that -at the time of the investigation- VidMate collected personal user information, such as International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI) or IP address, and transferred them to servers in Singapore, belonging to Nonolive, a China-based company funded by Alibaba, according to publicly available information.
“VidMate is only one case. Secure-D detects more than 170 new malicious apps every day”, added Krief. “While mobile fraud is mostly targeting advertisers, it also affects consumers greatly; Eats up their data allowance, brings unwanted charges, messes with the performance of their device, targets and collects user personal data. It is an epidemic calling for increased mobile security that urgently needs to rise up in the industry’s priority list”.
For the full report on the investigation & further resources please click here