[ad_1]
More than half a billion people have installed VidMate, an Android app allowing them to download videos from YouTube, WhatsApp and other platforms. This feature has made VidMate, which has links to the Chinese technology giant Alibaba, extremely popular in countries such as India, where streaming video on mobile can be expensive or sometimes unreliable.
But it seems that convenience always has a high cost for users. VidMate displays hidden ads, secretly subscribes people to paid services and exhausts users' mobile data, according to the findings of security researchers at a mobile technology company based in London.
According to Upstream researchers, VidMate subjects its users to a series of suspicious behaviors that could cost them money, empty their phone batteries and reveal their personal information.
During a Skype interview, a spokesperson for VidMate denied that the application was knowingly engaging in suspicious activity and said that he was investigating. He also declined to provide basic information such as the names of VidMate's officers and funders and did not answer the following questions, including a request for confirmation of his name and title.
Guy Krief, CEO of Upstream, said users who download and open VidMate "give control of their phone and personal information to a third party".
"The phone and its connection become part of a botnet and are used to commit advertising fraud, at the expense of the owner … and his privacy," he said. (The alleged ad fraud occurs in VidMate when it displays ads that users can not actually see.)
Over the last six months, Upstream has blocked more than 128 million "suspicious" transactions with the VidMate application, which could cost users in Egypt, Brazil, Myanmar and elsewhere more than 150 million dollars. Unauthorized and unauthorized mobile subscriptions, according to the company. Upstream said that it had started blocking these deals as early as 2017 and that their volume had increased significantly by the end of last year. VidMate was developed and owned by UCWeb, a subsidiary of Alibaba, prior to its sale last year.
A spokesman for VidMate, who used the name Jiatao Chen on Skype, told BuzzFeed News that he takes Upstream's findings seriously and blamed any alleged suspicious behavior of developer kits. third-party software (SDK) and partners.
"Not only we do not schedule such practices in our main application, we have a zero tolerance policy because it is in VidMate's best interest to protect our users from such harmful practices," he said. declared.
According to Chen, VidMate has already terminated its relationship with one of the partners involved in the Upstream report and is continuing its investigations.
UCWeb and VidMate both told BuzzFeed News that the application and its brands had been sold to a new entity, Guangzhou Nemo Fish Technology Co., in 2018. They indicated that the companies had a commercial relationship but were distinct .
"Since our divestment early last year, we have maintained business collaboration with Vidmate, just as we do with other applications we work with. We are not involved in any of Vidmate's operations, "said a statement sent by a UCWeb spokesperson.
Chen described Nemo Fish as a start-up, but declined to name his officers or shareholders in an interview and did not answer the following questions. A second VidMate spokesperson then contacted Buzzfeed News by email to repeat much of what Chen had said, while questioning Uprstream's methodology and results.
The email account of this VidMate spokesperson used the name Alice Granger, which is also the name of a user. Twitter account who sent thousands of spam emails to people in 2015, suggesting that they download VidMate. Granger did not answer the following questions about the Twitter account or those asking for the names of leaders and funders of Nemo Fish / VidMate.
Krief said his company had started blocking VidMate's suspicious transactions long before UCWeb sold the app.
"We had some initial volumes of suspicious transaction requests in October 2017 and the number of transactions gradually increased until April 2018, when it began to be of a different magnitude," she said. he declared.
The UCWeb spokesperson said in an email that the company could not respond without more details and data.
"To date, Upstream has not contacted us or provided the information on which they make their claims. On this basis, it is impossible for us to evaluate their assumptions, "the statement said. "Overall, UC is always focused on providing a safe, secure, and enjoyable user experience and enforces strict rules and regulations to ensure that this is the case."
These findings constitute another example of Chinese application suspected of advertising fraud and misuse of user permissions and data at the global level. BuzzFeed News had previously revealed ad fraud and other malicious behavior in the apps of leading Chinese developers Cheetah Mobile, DO Global and Kika Tech. As a result of a survey released last month, Google banned DO Global from the Play Store and its advertising products. DO belongs in part to Baidu, one of the largest technology companies in China.
In January, Upstream also revealed that an extremely popular weather app from TCL, a Chinese mobile phone and app company, fraudulently subscribed users to paid services and collected suspicious levels of personal data. . The app has been removed from the Google Play store as a result of Upstream's findings. (VidMate is not in the Play Store but is widely available in other Android app stores.)
According to Krief, the Android ecosystem and digital advertising are combining to create a huge opportunity for fraudsters.
"The open nature of Android allows the widespread spread of mobile malware.The complexity of digital advertising allows fraudsters – it's a global playground with low risk and high incentives", did he declare.
Upstream has identified VidMate's issues in providing security services to mobile operators in 18 countries, mainly in developing countries. The company monitors activity on carrier networks for ad fraud, malware and other vulnerabilities, and conducts investigations as soon as it detects a business model.
VidMate "has been the number one in terms of blocking attempts in the last six months" among all the apps on monitors up the network, Krief said.
The security company also received complaints from users who claimed that their phones behaved strangely and that they sometimes added paid subscriptions without their knowledge. Upstream, Acquisition and monitoring of three phones on which VidMate was installed. It quickly detected that VidMate was secretly downloading and installing a software development kit from an entity called Mango that was loading hidden advertisements and secretly inviting users to paid services.
The suspicious activity often took place while the phone screen was locked and not used, according to Krief.
The two VidMate spokespersons said Mango's SDK was manufactured by a Chinese company associated with VidMate. Neither answered a request for the name and contact information of the company.
"Our technical team is already doing a thorough analysis of this SDK, if it is really fraudulent, Vidmate will terminate its relationship with this company and blacklist it," said the Granger e-mail account. his message.
According to Upstream, the unauthorized activity in VidMate has absorbed huge amounts of mobile data – more than 3 gigabytes per month, which Ustream estimates could cost $ 100 a year or half a month in markets such as Brazil.
VidMate has also collected personal information without informing the user. The data, which included a unique number associated with a person's phone and IP address, was sent to servers in Singapore owned by Nonolive, a streaming player platform funded by Alibaba.
Chen, spokesman for VidMate, told BuzzFeed News that he had ended his relationship with Nonolive after learning that there was "misuse of user information".
[ad_2]
Source link