These include downloading and installing other software without user consent, which Secure-D’s investigation showed the app is indeed doing.
This page contains the “Join Now” button, which completes the subscription of a user.īased on the AndroidManifest.xml of VidMate it was clearly determined that the application requests excessive permissions that a normal video player and downloader does not need. za/LPBase/tok528/, which is the landing page on which the suspicious subscription took place. The sequence flow of the encrypted requests that led to this landing page is the following:ġ. One out of the many cases during the testing was one mobile device that made a successful subscription attempt through the host .za. These connections led the device to make continuous requests to online ad servers and access landing pages where the phone attempted to “sign up” to digital subscriptions. The in-depth analysis revealed that Mango began encrypted connections with the domains and :1688. At the time of the investigation (March 2019), the app also started collecting personal user information such as International Mobile Equipment Identity (IMEI), International Mobile Subscriber Identity (IMSI) or IP address, without requiring user permission, and transferring them to servers in Singapore owned by Nonolive (), an Alibaba funded company, according to publicly available information. Although these views and clicks were reported as genuine to the ad networks, the activity took place in the background and wasn’t visible to the end user. In turn, Mango communicated with a command and control server that issued instructions for delivering invisible ads to the mobile device and simulating clicks to access and confirm paid subscriptions. Once active on the device Vidmate loads this 3rd party SDK called Mango and executes it. Upon download, the app already contains an inactive and hidden suspicious code. THE ALARMING FINDINGS: VIDMATE’S SUSPICIOUS BEHAVIORĭuring the testing, each handset carried out the suspicious activity associated with VidMate, allowing the Secure-D team to isolate and examine the relevant traffic. The testing involved operating the device while isolating it in a sandbox environment to examine all HTTP traffic into and out of the device and reveal anything amiss. The handsets were a Huawei ALE-21, an LG G5 H850 and a Sony G3311.Īll handsets had the VidMate application installed, presenting an opportunity to check and confirm it was the common factor. All users confirmed their phone was “acting up” with problems such as unexpected data use, overheating and reduced battery even when the device was not in use. We purchased three of these devices from their owners and placed them in our lab for investigation. This was cross checked with reports from multiple users noting their handsets were performing non-user initiated subscriptions to digital services leading to unwanted airtime charges. Secure-D recorded a high number of suspicious transactions across multiple countries originating from VidMate. According to publicly available information, VidMate was developed by a subsidiary of UC Web, which is owned by Chinese conglomerate Alibaba. VidMate is not available on Google Play store but can be downloaded through third-party app stores like CNET or Uptodown.
#VIDMATE FOR ANDROID ANDROID#
VidMate is a popular Android app that allows users to stream and download videos and songs from services such as Dailymotion, Vimeo and YouTube. If not blocked, they would have subscribed users to premium digital services potentially costing them up to $170 million in unwanted charges. These transactions originated from 4.8 million unique mobile devices across 15 countries.
Over a recent period, Secure-D, detected and blocked more than 128 million suspicious mobile transactions initiated by VidMate. Consequently, it depletes users’ data allowance and brings unwanted charges. A hidden component within the app delivers invisible ads, generates fake clicks and purchases, installs other suspicious apps without consent and collects personal users’ information. Upstream’s security lab, Secure-D, has unveiled that popular video Android application VidMate, with over 500 million downloads, triggers suspicious background activity.
0 kommentar(er)
