More than half a billion people have VidMate installed, an Android app that allows them to download videos from YouTube, WhatsApp and other platforms. Because of this functionality, VidMate, which has ties to Chinese technology group Alibaba, is hugely popular in countries like India, where streaming mobile video can be expensive or sometimes unreliable.
However, user convenience still appears to be a high cost. According to intelligence researchers from a London-based mobile phone company, VidMate displays hidden ads, subscribes to secretly paid services, and retrieves users' mobile data.
According to Upstream, VidMate subjects its users to a series of actions During a Skype interview, a VidMate spokesperson denied that the app knowingly carried out suspicious activity and said it was investigating. He also refused to provide basic information, such as the names of VidMate executives and sponsors, and did not answer follow-up questions, including a request for confirmation of his name and title.
Guy Krief, the CEO of Upstream, told users to download and open the VidMate "to give control of their phone and their personal information to third parties."
"The phone and its connection become part of a botnet and will be used for ad fraud at the owner's expense. and his privacy, "he said. (Suspected ad fraud occurs in VidMate when ads are shown that users can not see.)
In the past six months, Upstream has blocked more than 1
A VidMate spokesman using the name Jiatao Chen on Skype told BuzzFeed News that he took the results of Upstream seriously and blamed every suspected suspect for software development kits (SDKs) and third-party partners.
"Not only do we not program such practices into our core app, we also follow a zero tolerance policy because it is in the interest of VidMate to protect our users from such practices harmful practices," he said.
Chen said VidMate has already ended the relationship with a partner involved in the upstream report and continued to investigate.
UCWeb and VidMate shared BuzzFeed News with the app and its brands were sold to a new unit, Guangzhou Nemo Fish Technology Co., in 2018. They said the companies have a business relationship, but are separate.
"Since our divestiture at the beginning of last year, we have a business collaboration with Vidmate, as well as other apps we work with. We are not involved in any of Vidmate's business operations, "it said in an e-mail from a UCWeb spokesperson.
Chen described Nemo Fish as a start-up, but declined to appoint his executives or shareholders during an interview and did not respond to follow-up questions. A second VidMate spokesman later emailed Buzzfeed News to repeat much of Chen's remarks while questioning Upstream's methodology and findings.
The VidMate spokesperson's email account used the name Alice Granger, who is also the username of . Twitter account that sent thousands of spam responses to users in 2015, suggesting downloading VidMate. Granger did not answer any questions about the Twitter account or the names of Nemo Fish / VidMate executives and sponsors.
Although it is unclear who owns and owns VidMate, Krief announced that its company started suspending VidMate's suspicious transactions long before UCWeb sold the app.
"In October 2017, there were some first small amounts of suspicious transaction requirements that gradually increased until April 2018 and then occurred to a different extent," he said.
The UCWeb spokesperson said in an email that the company could not respond without seeing more details and data.
"So far, Upstream has not contacted us or provided us with the information to which they are asserting their claims. On this basis, it is impossible for us to evaluate their assumptions, "the statement said. "Overall, UC is committed to providing a safe and fun user experience, and there are strict rules and regulations to ensure that."
These results are another example of a Chinese app that allegedly committed ad fraud and misuse of user rights and data at the global level. BuzzFeed News has previously uncovered advertising fraud and other malicious behavior in apps from major Chinese developers Cheetah Mobile, DO Global and Kika Tech. As a result of an investigation published last month, Google DO Global has banned the Play Store and its advertising products. DO is partially owned by Baidu, one of the largest technology companies in China.
In January, Upstream also announced that a hugely popular weather app from TCL, a Chinese mobile phone and app company, fraudulently tricked users into subscribing to paid services and collecting suspicious amounts of personally identifiable information. The app has been removed from the Google Play Store due to the results of Upstream. (VidMate is not available in the Play Store, but is available in many other Android app stores.)
According to Krief, the Android ecosystem combined with digital advertising offers a great opportunity for cheaters.
"The openness of Android allows for a wide choice The spread of mobile malware and the complexity of digital advertising empower scammers – this is a worldwide playground with low risks and high incentives," he said.
Upstream identified the issues with VidMate as it provides mobile security services to 18 countries, especially in developing countries. The company monitors network operator network activity for ad scams, malware and other vulnerabilities, and conducts investigations when an activity pattern is detected All apps on the network upstream monitors, Krief said.
The security company also received complaints from users who said their phones behaved strangely and sometimes added paid subscriptions without their knowledge. Upstream purchased and monitored three phones that had VidMate installed. It soon became apparent that VidMate had secretly downloaded and installed a software development kit from an entity called Mango, which loaded hidden displays and secretly logged users on for paid services.
The suspicious activity occurred frequently while the screen of the phone was locked and not used. According to Krief.
Both VidMate spokespersons stated that the Mango SDK was manufactured by a Chinese company that has partnered with VidMate. Neither of them responded to a request for the name and contact information of the company.
"Our tech team is already doing a thorough analysis of this SDK. If this SDK is actually performing ad fraud, Vidmate will end its relationship with that SDK and the list will close companies, "the Granger email account says in its message.
Upstream claims that the unauthorized activities in VidMate devoured huge amounts of mobile data – more than 3 gigabytes per month, which Upstream estimates could cost $ 100 a year or half a dollar a month in markets like Brazil.
VidMate also collected personal information without notifying the user. This data, which contains a unique number associated with a person's phone and IP address, was sent to servers in Singapore owned by Nonolive, an Alibaba-funded gamer streaming platform.
Chen, the VidMate spokesman, said BuzzFeed News ended its relationship with Nonolive after learning of "misuse of user information".