More than 20 million suspicious transaction requests from the popular Android app, VivaVideo, could have cost users more than $27 million in unauthorized premium charges. That’s if the transactions had not been detected and blocked by Secure-D, Upstream’s full-stack anti-fraud platform, which covers 31 operators in 20 countries.
In its most recent report, Secure-D revealed that the VivaVideo app, a video editing and sharing app with 100 million reported downloads, has been attempting to initiate premium subscription attempts while delivering invisible ads to users in order to generate fake clicks.
Over one million devices have been infected across 19 countries, including Indonesia, Egypt, Thailand, Russia and the UK, proving how far-reaching mobile ad fraud is. Brazil was the worst hit locale, home to more than 11.5 million of the fraudulent transaction attempts that originated from the app. Had the fraudulent transactions not been blocked, Brazilian users could have been unwillingly and unknowingly charged $10.3 million for services and subscriptions they did not purchase.
VivaVideo had ranked highly in lists of suspicious applications before, as the app has frequently topped Secure-D’s own Mobile Malware Index, prompting further investigation. However, the latest results shared in this most recent report, shed new light on the scale and veracity of the problem.
VivaVideo, which was subject to heavy scrutiny in the Secure-D lab on a genuine user’s device, was caught making fraudulent transaction attempts repeatedly – all of which were blocked by Secure-D. Some of the click and purchase attempts via fake, invisible ads actually occurred while the device was unattended. Had these click and purchase attempts succeeded, the advertiser would have paid out a commission to the affiliate, who in turn would have paid the bad actor responsible for the fraud.
What also stands out is that the app was found to contain code snippets which check for monitoring software installed on the user’s device. Under inspection VivaVideo stopped running all the suspicious background activity when the monitoring app was installed, proving that fraudsters are continuously improving the skills and the tools they use. Such code snippets are a common method bad actors use to remain undetected when it comes to mobile ad fraud.
Geoffrey Cleaves, Head of Secure-D at Upstream, commented: “As video sharing becomes increasingly popular in apps like TikTok and Instagram, more users are looking for ways to edit their content. However, bad actors are also scaling up their activity and technology, and they are wreaking havoc in apps like VivaVideo”.
VivaVideo is a “freemium” app available for download via Google Play, the official Android app store. It offers basic video production features, including editing tools and effects overlays, which feeds on the popularity of new video sharing mediums like TikTok and Instagram Stories. The VivaVideo app currently has more than 100 million installs registered, and a 4.2 rating on Google Play, where it remains available for download. The listed developer of the app is QuVideo Inc., registered in Hangzhou City, China.
Older versions of the VivaVideo app are known to contain the Batmobi SDK, a recognized bad actor which Google has since banned from its store. However, despite this, the SDK is still shared between users with older versions of Android on their handsets, often via third-party sharing apps such as ShareIt.
This report is the latest in a series of findings released by Upstream, who has constantly warned of the increasing threat posed by mobile malware. Cleaves explained: “Mobile ad fraud is a growing threat which if left unchecked, will severely impact mobile advertising, erode trust in mobile operators and service providers and leave users saddled with higher bills. We are raising awareness however we are now reaching a stage where real solutions and tangible measures need to be put into place to protect a digital ecosystem that has been forced to exponential growth, because of the current pandemic”.
Upstream advises users that have VivaVideo installed on their device to head to the Google Play store and update it to the latest version. To avoid getting stung by predatory apps, Android users should always install apps from Google Play only and avoid any unverified marketplaces or direct links.
However, as Secure-D lab experts note, mobile apps coming from legitimate sources can be compromised too. Before installing anything new on their device, users should:
- Check the app reviews on the marketplace and around the web.
- Review developer details and assess their credibility.
- Read the list of requested permissions and verify that all of them are actually needed for the app to work.
A general report published by Upstream at the beginning of this year revealed that in 2019 a staggering 93% of tracked mobile transactions had been blocked by Secure-D as fraudulent. Over 98,000 malicious Android apps were discovered, as well as 43 million infected devices in 20 different countries.