Upstream

We commission original research to help guide our own product roadmap and better serve our partners.

$27 million Premium Subscription Fraud and Invisible Ads within VivaVideo Identified by Secure-D

Upstream’s mobile security platform Secure-D identified that a popular Android app was responsible for over 20 million fraudulent transaction attempts that could have resulted in $ 27 million in fake charges for users. The VivaVideo app has been initiating premium subscription attempts, delivering invisible ads to users while avoiding detection by users.

20 MILLION UNWANTED MOBILE TRANSACTIONS PROMPT INVESTIGATION

Secure-D runs AI-driven mobile anti-fraud detection services to protect users, mobile operators, and advertisers against cybercrime — a multi-billion-dollar problem for everyone involved in the mobile advertising ecosystem. Since early 2019, our algorithms detected and blocked over 20 million suspicious mobile transactions, originating from the VivaVideo Android app.

19 countries were affected with most activity happening in Brazil (over 11.5 million mobile transactions) as well as Indonesia, Egypt, and Thailand. 

VivaVideo has long been topping the list of suspicious apps on the Secure-D index, so Secure-D’s research team jumped on the opportunity to investigate further.

ABOUT THE APP

VivaVideo is a freemium Android app, offering basic video production features — editing tools, effects, music overlays and more.

With the rising popularity of Instagram stories, reels and TikTok videos, VivaVideo had no issues with amassing a huge user base, lured in with simple and seemingly free video editing tools and filters. The app has over 100 million installs and a 4.2 rating on Google Play, based on over 12 millions reviews. The listed app developer, QuVideo Inc, is based in Hangzhou City, China.

Previously, the VivaVideo app came on the security radar for using spyware software components to collect user data without their knowledge as several external audits confirmed. Our investigation uncovered further problematic behaviors that the app exhibited on infected devices.

Burrowing to The Bottom of the Problem in Secure-D Labs

Upon analyzing the initial monitor logs for the app, the Secure-D team decided to further investigate the nature and scale of the fraudulent activities VivaVideo app was performing in the background.

Secure-D researchers acquired two infected devices from real users (a Samsung Galaxy SM-G930F and a Galaxy J1 Ace SM-J111F) and placed them under scrutiny in our lab to reverse-engineer the fraud pattern.

Our first discovery — Hidden premium subscription attempts

During the course of the investigation, the Secure-D team witnessed real-time subscription attempts that VivaVideo v7.3. was trying to execute without any user intervention or authorization. Secure-D found evidence of such attempts on infected devices by analyzing the network logs as pictured below:

Service Name: KidZone

Service URL: http://doi.mtndep.co.za/service/6307

Subscription cost: 4 ZAR/day (€0.21/day)

During subsequent monitoring, the Secured-D team also detected a fake advertisement click on an ad banner at 9:00 am, shortly followed by a subscription purchase attempt at 9:01 am. At that time the device was sitting unattended in the Secure-D lab.

In this case, the service purchase attempts were attributed to an affiliate network. If the purchase was successful, the advertiser would have been charged a commission fee by the network.

Second discovery — Fraudulent mobile apps are good at curtailing activity when being monitored

During the next step of the investigation, Secure-D performed static code analysis to determine if the app ceases its fraudulent activity when the phone is rooted or when it’s being monitored via emulation or remote monitoring software.

The following code was found inside VivaVideo v8.4.2 which checks for the existence of emulation frameworks:

During our tests, we detected that the VivaVideo app transferred a list of installed monitoring apps to the following endpoint: https://xy-flkf-medi.kakalili.com/api/rest/s/recordapplist

Our findings confirmed that the app contains code snippets which check for monitoring software installed on the user’s device. VivaVideo stopped running all the suspicious background activity when the monitoring app was installed.

Fraudsters are continuously improving their tradecraft. Such code snippets are a common method fraudsters use to remain undetected when it comes to mobile ad fraud. 

Our third finding — VivaVideo requires unnecessary user permissions

To use the app, users are requested to authorize access to an array of sensitive information such as GPS location, currently running apps, and more:

Such permission requests are hardly necessary for a video editing application to run properly. Typically, this type of app likely needs them to run hidden activity that is not related to the app’s core function.

Our fourth finding — VivaVideo contains a known ad fraud SDK, banned by Google

In 2018, Google conducted a major investigation into three malicious ad network SDKs (software development kits) and banned them from Google Play, along with the developers using them. One of the problematic SDKs was Batmobi.

Batmobi exploits user permissions to engage in click injection and click flooding — two popular ad fraud techniques, causing major advertising losses. In particular, Batmobi was found to be recording false clicks and sending them to advertisers to claim a bounty for an app install.

Our security team found that Batmobi SDK was present in earlier versions of the VivaVideo app, that are no longer available on Google Play. However, our interviews with infected device owners revealed that outdated VivaVideo app versions were frequently distributed via ShareIt, a popular transfer and sharing app. That is how the malicious SDK kept circulating among mobile users.

How VivaVideo Play Affects Unsuspicious Users

Unless prevented by Secure-D platform, VivaVideo could have continued feeding on unsuspecting customers’ prepaid airtime, mobile data and ultimately money. During the monitored period, Secure-D blocked over 20 million suspicious mobile transaction requests, originating from over one million infected devices across 19 countries, with VivaVideo installed. 

If not blocked by Secure-D, every transaction attempt could have triggered premium services purchase, costing users in 19 countries over $27 million in unwanted charges.

The actual fraud figure may be even higher as this estimate is based on Secure-D analysis and deployments on a small sample of total Internet traffic.

Staying Protected Against Mobile Transaction Fraud

If you have VivaVideo installed on your device, head to the Google Play store and update it to the latest version.

To avoid getting played by predatory apps, Android users should always install apps from Google Play only and avoid any unverified marketplaces or direct links.

However, mobile apps coming from legitimate sources can be compromised too. Before installing anything new on your device, be sure to:

  • Check the app reviews on the marketplace and around the web.
  • Review developer details and assess their credibility.
  • Read the list of requested permissions and verify that all of them are actually needed for the app to work.

Secure-D has worked with Forbes to bring this story to light. You can read their write up here.