Google Play Store has millions of apps and games ready to download. With so many choices, there is literally an endless list of new things to install.
With most apps on the app store is free, users should always be wary of the dangers that lurk behind some apps' intention. One of which, is the 'freemium' strategy. It's through these freemium apps that users can sometimes need to pay (often without even knowing) far exceeds a one-time payment.
And here, malicious developers can circumvent Google's watchful eyes, by creating 'fleeceware' apps.
While most apps that have rogue intentions don't really have that much installs of popularity, this particular one does.
Called the 'VivaVideo', the apps has more than 100 million downloads, 12 million user rating, with an average score of more than 4 out of 5.
Discovered by mobile security platform Secure-D, the apps isn't dangerous, but only on the surface.
VivaVideo allows users to cut, trim crop, and merge video content, as well as adding text, stickers, music, and so on.
The app is popular among people who are into mobile video creation and editing, who don't want to pay for their tools.
Offered by QuVideo, the app is reliable and versatile
But this also suggest how skilled the developer is in masking the app's sneaky behavior.
Secure-D said that the app frequently initiates unauthorized premium subscription attempts while also delivering "invisible ads to users." In other words, the app looks to generate illegal revenue in two ways, first by subscribing users to sneaky services without their knowledge and second, by tricking advertisers into paying commissions for clicks that didn't happen.
On its blog post, Secure-D wrote that:
"19 countries were affected with most activity happening in Brazil (over 11.5 million mobile transactions) as well as Indonesia, Egypt, and Thailand. "
VivaVideo gained immense popularity due to the rising popularity of Instagram Stories and Reels, as well as TikTok videos among others.
The app came under Secure-D's radar, following the team's attempt to find spyware software components inside apps.
When analyzing VivaVideo, the team decided to investigate further due to the app's suspicious background activities. The team realized that the app is malicious, after finding that the suspicious background activities suddenly stopped when the team installed a monitoring tool to monitor the app.
Upon closer look, the team found some code snippets which are meant to do that.
The strategy is meant to conceal whatever the app is doing. The developer did this to hide the app's malicious intention.
"Our findings confirmed that the app contains code snippets which check for monitoring software installed on the user’s device. VivaVideo stopped running all the suspicious background activity when the monitoring app was installed," the team wrote.
So here, the app was not only a fleeceware, but was also good at curtailing activity when being monitored.
What's more, the app request more permissions that necessary.
For example, it needs permission to access precise GPS location, retrieve running apps, close other apps, read Home settings and shortcuts, run at startup, modify system settings and more.
Such permission requests are hardly necessary for a video editing application to run properly. Typically, this kind of app needs them to conceal hidden activity that is not related to the app’s main function.
And last, the team at Secure-D also found that VivaVideo uses a known ad fraud SDK that is banned by Google.
Called 'Batmobi', it exploits user permissions to engage in click injection and click flooding.
So again, Google's effort to keep its Play Store a clean and safe is still failing.