Secure-D, Upstream’s anti-fraud platform, has blocked more than 20 million suspicious transaction requests from VivaVideo, Android app, that could have cost users more than $27 million in unauthorized premium charges.
Secure-D, in its most recent report, revealed that the VivaVideo app, a video editing and sharing app with 100 million reported downloads, has been attempting to initiate premium subscription attempts while delivering invisible ads to users to generate fake clicks.
Over one million devices have been infected across 19 countries, including Indonesia, Egypt, Thailand, Russia and the UK. Brazil was the worst hit locale, home to more than 11.5 million of the fraudulent transaction attempts that originated from the app.
Had the fraudulent transactions not been blocked, Brazilian users could have been unwillingly and unknowingly charged $10.3 million for services and subscriptions they did not purchase.
VivaVideo had ranked highly in lists of suspicious applications before, as the app has topped Secure-D’s own Mobile Malware Index.
VivaVideo, which was subject to scrutiny in the Secure-D lab on a genuine user’s device, was caught making fraudulent transaction attempts repeatedly – all of which were blocked by Secure-D.
Some of the click and purchase attempts via fake, invisible ads actually occurred while the device was unattended. Had these click and purchase attempts succeeded, the advertiser would have paid out a commission to the affiliate, who in turn would have paid the bad actor responsible for the fraud.
The app was found to contain code snippets which check for monitoring software installed on the user’s device. Under inspection VivaVideo stopped running all the suspicious background activity when the monitoring app was installed. Such code snippets are a common method bad actors use to remain undetected when it comes to mobile ad fraud.
As video sharing becomes increasingly popular in apps like TikTok and Instagram, more users are looking for ways to edit their content. However, bad actors are also scaling up their activity and technology, and they are wreaking havoc in apps like VivaVideo, Geoffrey Cleaves, head of Secure-D at Upstream, said.
VivaVideo is a “freemium” app available for download via Google Play, the official Android app store. It offers basic video production features, including editing tools and effects overlays, which feeds on the popularity of new video sharing mediums like TikTok and Instagram Stories.
The VivaVideo app currently has more than 100 million installs registered, and a 4.2 rating on Google Play, where it remains available for download. The listed developer of the app is QuVideo Inc., registered in Hangzhou City, China.
Older versions of the VivaVideo app are known to contain the Batmobi SDK, a recognized bad actor which Google has since banned from its store. However, despite this, the SDK is still shared between users with older versions of Android on their handsets, often via third-party sharing apps such as ShareIt.