All apps have been developed by a Chinese company.
Recently, researchers at VPNpro have discovered that a famous app named VivaVideo available on both Android and iOS with over 100 million installations is operating as spyware.
Developed by a Chinese company named QuVideo Inc; there are 4 other apps developed by the same company and engaged in such malicious actions, according to researchers. The other ones happen to be the following:
- SlidePlus – A photo slideshow maker with over 1 million installations
- VivaCut – A video editor
- Tempo – A music video maker
- VidStatus – Advertised as a Whatsapp video status tool; the app has over 50 million installations on Google Play.
According to VPNpro, VivaVideo has a history of malware.
In 2017, it was mentioned as one of 40 apps suspected of spyware in a country-wide advisory for all Indian military and paramilitary troops, with a recommendation to delete the apps immediately.
The app in question is developed by QuVideo Inc., a Chinese company based in Hangzhou, which also creates SlidePlus (1M installs), with similarly unnecessary dangerous permissions, plus a paid version of VivaVideo. In addition, VPNpro found 5 total apps within its network.
On Apple’s App Store, VPNpro noticed that QuVideo actually develops 4 apps – VivaVideo and SlidePlus, in addition to the apps VivaCut and Tempo.
These last two apps are published on Play under different developer names, hiding their connection to QuVideo Inc., notss VPNpro.
Beyond that, VPNpro discovered that QuVideo also owns the popular Indian app VidStatus, which has more than 50 million installs on Play.
VidStatus, which is a “video status” tool for WhatsApp, asks for 9 dangerous permissions, including GPS, the ability to read phone state, read contacts, and even go through a user’s call log, notes VPNpro.
The app was also identified as malware by Microsoft, containing a Trojan known as AndroidOS/AndroRat.
These kinds of trojans can steal people’s bank, cryptocurrency or PayPal funds, claims VPNpro, and QuVideo does not officially claim VidStatus, VivaCut or Tempo on the Play store.
A major Indian social video app related to WhatsApp, known as ShareChat, has three suspicious connections to QuVideo, including having the same API key within the app file (APK), similar homepages and URL structures.
Because of this history of malware and active trojan, and that QuVideo hides its connection with some of their apps, VPNpro recommends users practice caution with any of these apps.
In general, if users find that these QuVideo apps provide no real benefit,VPNpro recommend deleting them from their phones as soon as possible.
Out of these, 2 apps, namely VivaCut and Tempo are published on the Google Play Store under a different developer name in order to hide their connections to QuVideo, researchers claim.
However, such is not the case on the App Store where all the apps are available under one developer account.
To start with the nature of these permissions, a range of permissions are requested which consist of a mix of both necessary and unnecessary ones. For example, all 5 apps require the user to grant access for reading and writing data to external drives.
Since these are editing apps, this makes sense as files need to be both accessed and saved on the smartphone’s memory. However, on the other hand, permissions such as a request for the user’s location make no sense considering the purpose of these apps.
The complete list of permissions that are requested comprises of the following:
1 – Reading the external storage of the device which includes accessing saved files & the application’s info in itself along with writing to it which is the ability to add files to the device’s storage: requested by all 5 apps.
2 – Accessing both the user’s coarse location – general location without precision – and their fine location which is accessed using the device’s GPS and hence allows the apps to track users more accurately: requested by 3 apps including VidStatus, VivaVideo, and Tempo.
3 – Accessing the device’s camera: again requested by 3 apps including VidStatus and VivaVideo.
4- Learning about the device’s information such as the phone number, network carrier, registered phone accounts, and the status of ongoing calls: requested by 2 apps including VidStatus.
5- Recording the audio of the device which may be transmitted by the threat actors to their C2 server or just stored on the device itself: requested by 2 apps including VidStatus and VivaVideo.
6- Accessing the user’s background location without the app even being in use: only requested by the Tempo music editor.
7- Reading the user’s calling history: only requested by VidStatus.
8- Reading the user’s contacts: only requested by VidStatus again.
To conclude, in their blog post, the researchers have also stated that,
App Name | No. of dangerous permissions | App Permission name |
---|---|---|
VidStatus – Status Videos & Status Downloader Google Play installs: 50 million Listed developer: VidStatus Team History of malware: Trojan:Android/AndroRat remote access tool identified by Microsoft | 9 | Access coarse location Access fine location CameraRead call log Record audioRead contacts Read external storage Write external storage Read phone state |
VivaVideo: Video Editor & Video Maker Google Play installs: 100 million Listed developer: QuVideo Inc. Best Video Editor & Video Maker App History of malware: Identified as spyware by Indian intelligence agencies | 6 | Camera Access coarse location Access fine location Record audio Read external storage Write external storage |
Tempo – Music Video Editor with Effects Google Play installs: 500,000 Listed developer: Tempo trend video editor with effects & music. Ltd History of malware: None | 5 | Access coarse location Access-fine location Access background location Read external storage Write external storage Access location extra commands |
“Another major Indian social video app related to WhatsApp, known as ShareChat, has three suspicious connections to QuVideo, including having the same API key within the app file (APK), similar homepages, and URL structures.”
This hints at the fact that other malicious apps may be lurking under different developer identities and so users are urged to exercise extreme caution in the types of apps they download and the permissions they grant to apps.
This, however, is not the first time when popular Android apps have been caught asking for unnecessary permissions. Last year, researchers from the IT security company Avast identified hundreds of flashlight apps with spyware function including asking for dangerous and unnecessary permissions.
In October last year, the popular Android Emoji keyboard app was caught asking for dangerous permissions and making a big profit by carrying out unauthorized purchases.
In another startling research, it was discovered that popular Android apps and Chrome extensions collect a trove of user data including browsing history. Therefore, if you are an Android user or even on iOS make sure to keep an eye on what permissions are being granted to applications on your device.