All apps have been developed by a Chinese company.
Recently, researchers at VPNpro have discovered that a famous app named VivaVideo available on both Android and iOS with over 100 million installations is operating as spyware.
Developed by a Chinese company named QuVideo Inc; there are 4 other apps developed by the same company and engaged in such malicious actions, according to researchers. The other ones happen to be the following:
- SlidePlus – A photo slideshow maker with over 1 million installations
- VivaCut – A video editor
- Tempo – A music video maker
- VidStatus – Advertised as a Whatsapp video status tool; the app has over 50 million installations on Google Play.
It is worth noting that the VidStatus app is also flagged by Microsoft as having the AndroRat trojan on VirusTotal.
Out of these, 2 apps, namely VivaCut and Tempo are published on the Google Play Store under a different developer name in order to hide their connections to QuVideo, researchers claim. However, such is not the case on the App Store where all the apps are available under one developer account.
To start with the nature of these permissions, a range of permissions are requested which consist of a mix of both necessary and unnecessary ones. For example, all 5 apps require the user to grant access for reading and writing data to external drives.
Since these are editing apps, this makes sense as files need to be both accessed and saved on the smartphone’s memory. However, on the other hand, permissions such as a request for the user’s location make no sense considering the purpose of these apps.
The complete list of permissions that are requested comprises of the following:
1 – Reading the external storage of the device which includes accessing saved files & the application’s info in itself along with writing to it which is the ability to add files to the device’s storage: requested by all 5 apps.
2 – Accessing both the user’s coarse location – general location without precision – and their fine location which is accessed using the device’s GPS and hence allows the apps to track users more accurately: requested by 3 apps including VidStatus, VivaVideo, and Tempo.
3 – Accessing the device’s camera: again requested by 3 apps including VidStatus and VivaVideo.
4- Learning about the device’s information such as the phone number, network carrier, registered phone accounts, and the status of ongoing calls: requested by 2 apps including VidStatus.
5- Recording the audio of the device which may be transmitted by the threat actors to their C2 server or just stored on the device itself: requested by 2 apps including VidStatus and VivaVideo.
6- Accessing the user’s background location without the app even being in use: only requested by the Tempo music editor.
7- Reading the user’s calling history: only requested by VidStatus.
8- Reading the user’s contacts: only requested by VidStatus again.
To conclude, in their blog post, the researchers have also stated that,
“Another major Indian social video app related to WhatsApp, known as ShareChat, has three suspicious connections to QuVideo, including having the same API key within the app file (APK), similar homepages, and URL structures.”
This hints at the fact that other malicious apps may be lurking under different developer identities and so users are urged to exercise extreme caution in the types of apps they download and the permissions they grant to apps.
This, however, is not the first time when popular Android apps have been caught asking for unnecessary permissions. Last year, researchers from the IT security company Avast identified hundreds of flashlight apps with spyware function including asking for dangerous and unnecessary permissions.
In October last year, the popular Android Emoji keyboard app was caught asking for dangerous permissions and making a big profit by carrying out unauthorized purchases.
In another startling research, it was discovered that popular Android apps and Chrome extensions collect a trove of user data including browsing history. Therefore, if you are an Android user or even on iOS make sure to keep an eye on what permissions are being granted to applications on your device.