Incident: Privacy Breach and Ad Fraud in VidMate Android App.

Published Date: 2019-05-20

Postmortem Analysis
Timeline 1. The software failure incident involving the VidMate app happened in late last year, as mentioned in the article [85369]. 2. The article [85369] was published on 2019-05-20. 3. Estimation: Late last year from May 2019 would be around November or December 2018. Therefore, the software failure incident involving the VidMate app likely occurred in November or December 2018.
System 1. VidMate app 2. Mango SDK 3. Nonolive server
Responsible Organization 1. VidMate app developed by UCWeb, a unit of Chinese tech giant Alibaba, before it was sold off in 2018 [85369]
Impacted Organization 1. Users of the VidMate app were impacted by the software failure incident [85369].
Software Causes 1. The software causes of the failure incident with the VidMate app include: - Running invisible ads and generating fake clicks without users' knowledge [Article 85369]. - Installing malicious apps without users' consent [Article 85369]. - Collecting sensitive user data, such as device's IMEI address and IP address, without permission [Article 85369]. - Connecting users to encrypted servers to sign them up for paid services without consent [Article 85369]. - Consuming users' data allowance and costing them money through hidden activities in the background [Article 85369].
Non-software Causes 1. Lack of oversight in third-party app stores like CNET's Download.com where VidMate could be downloaded [85369] 2. Failure of proper vetting and monitoring of apps by the app stores before making them available for download [85369] 3. Lack of transparency regarding ownership of the VidMate app [85369] 4. Inadequate user awareness and education on potential risks associated with downloading apps from third-party sources [85369]
Impacts 1. The software failure incident involving the VidMate app led to users being subscribed to paid services without their consent, resulting in unwanted charges potentially amounting to $170 million [Article 85369]. 2. Users' personal data was exposed and collected without their knowledge, including sensitive information such as device IMEI address and IP address [Article 85369]. 3. The hidden ads and fake clicks generated by the app consumed users' data allowance, leading to additional costs for users [Article 85369]. 4. The suspicious activity of the app could result in users paying up to $100 a year in mobile data charges, with significant impacts on users in markets like Brazil [Article 85369].
Preventions 1. Implementing thorough security checks and audits during the app development process to detect and prevent malicious components like hidden ads, fake clicks, and unauthorized data collection [85369]. 2. Conducting regular monitoring and analysis of app behavior to detect any suspicious activity or anomalies that could indicate fraudulent behavior [85369]. 3. Ensuring transparency and user consent for any data collection or subscription sign-ups within the app to prevent unauthorized charges and privacy violations [85369]. 4. Verifying the integrity and security practices of third-party SDKs used in the app to prevent vulnerabilities and potential exploitation by malicious actors [85369].
Fixes 1. Conduct a thorough security audit of the VidMate app to identify and remove any hidden components that deliver hidden ads, generate fake clicks and purchases, install malicious apps, and collect personal data without user consent [85369]. 2. Implement stricter app store policies to prevent the distribution of apps like VidMate through third-party stores, ensuring that only legitimate and safe apps are available for download [85369]. 3. Enhance user privacy controls within the VidMate app to provide users with more transparency and control over their personal data, ensuring that any data collection is done with explicit user consent [85369]. 4. Strengthen app development practices to prevent the inclusion of disguised malware and suspicious code within the app, ensuring that all code is thoroughly reviewed and verified for security vulnerabilities [85369]. 5. Collaborate with cybersecurity experts and industry organizations to stay vigilant against emerging threats in the mobile advertising and app fraud landscape, sharing insights and best practices to protect users from similar incidents in the future [85369].
References 1. Security researchers from Secure-D, the mobile ad fraud division of UK-based technology firm Upstream [Article 85369] 2. Guy Krief, CEO of VidMate [Article 85369] 3. Users targeted in Egypt, Myanmar, Brazil, Qatar, South Africa, Ethiopia, Nigeria, Malaysia, and Kuwait [Article 85369] 4. UCWeb, a unit of Chinese tech giant Alibaba, the developer of VidMate [Article 85369] 5. Nonolive, a game streaming platform owned by Alibaba [Article 85369]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to the VidMate app has happened again within the same organization. The article mentions that VidMate, developed by UCWeb (a unit of Chinese tech giant Alibaba), had suspicious activity detected in 2017 and a spike in transactions late last year [85369]. Additionally, the article states that VidMate was sold off in 2018, and it's not clear who currently owns the app [85369]. (b) The software failure incident related to the VidMate app has also affected multiple organizations or services. The article mentions that the app not only commits ad fraud but also collects sensitive user data and connects users to an encrypted server owned by Nonolive, a game streaming platform owned by Alibaba, where it secretly signs them up for paid services [85369].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be attributed to the hidden component within the VidMate app that delivers hidden ads, generates fake clicks and purchases, installs malicious apps, and siphons off users' private information without their knowledge [85369]. These actions were not explicitly designed or disclosed to the users, indicating a failure in the design of the app that allowed for such malicious activities to take place. (b) The software failure incident related to the operation phase is evident in the fact that users reported unexpected data use, overheating, and reduced battery life even when the device was not in use after installing VidMate [85369]. This indicates that the operation of the app was causing adverse effects on the users' devices, leading to increased data consumption and device performance issues.
Boundary (Internal/External) within_system (a) within_system: The software failure incident related to the VidMate app can be categorized as within_system. The app itself was found to have a hidden component that delivered hidden ads, generated fake clicks and purchases, installed malicious apps, and collected users' private information without their knowledge [85369]. This behavior was all happening within the app, indicating that the failure originated from within the system itself.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in the case of VidMate was primarily due to non-human actions. Security researchers discovered that the app had a hidden component that delivered hidden ads, generated fake clicks and purchases, installed malicious apps, and collected users' private information - all without their knowledge [85369]. This non-human behavior led to unwanted charges for users and significant data usage without their consent. (b) However, human actions were also involved in this software failure incident. The app, developed by UCWeb (a unit of Alibaba), was responsible for signing users up for paid services without their consent [85369]. Additionally, the app connected users to an encrypted server owned by Nonolive, a game streaming platform also owned by Alibaba, where users were directed to app subscription landing pages and signed up for paid services [85369].
Dimension (Hardware/Software) hardware, software (a) The software failure incident related to hardware: - The software failure incident reported in the article is primarily due to the VidMate app's hidden component within the app that delivers hidden ads, generates fake clicks and purchases, installs malicious apps, and siphons off users' private information without their knowledge [85369]. - This hidden component within the app is responsible for hijacking smartphones, running invisible ads, and collecting personal data, which ultimately leads to unwanted charges for users [85369]. (b) The software failure incident related to software: - The software failure incident is also attributed to the software itself, specifically the VidMate app, which was found to be engaging in malicious activities such as ad fraud, generating fake clicks, and signing users up for paid services without their consent [85369]. - The app was found to be running hidden and suspicious code through a third-party SDK called Mango, which not only committed ad fraud but also collected sensitive user data without permission [85369]. - Additionally, the software failure incident involved the app surreptitiously connecting users to an encrypted server owned by Nonolive, a game streaming platform, where users were directed to app subscription landing pages and signed up for paid services without their knowledge [85369].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident related to the VidMate app can be categorized as malicious. Security researchers discovered that VidMate was hijacking smartphones by running invisible ads, installing malicious apps without users' consent, and collecting personal data, all without the users' knowledge [85369]. The app was responsible for over 128 million malicious mobile transactions on 4.8 million devices, potentially costing users a significant amount of unwanted charges. Additionally, VidMate was found to be signing users up for paid services without their consent, further indicating malicious intent behind the software failure incident.
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the VidMate app can be attributed to poor decisions made by the developers and owners of the app. The app was found to hijack smartphones by running invisible ads, installing malicious apps without users' consent, and collecting personal data without their knowledge [85369]. These actions not only compromised users' privacy but also resulted in unwanted charges potentially costing users up to $170 million. Additionally, the app was signing users up for paid services without their consent, further highlighting the poor decisions made by the developers in implementing such deceptive practices.
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the case of the VidMate app. The app was found to have a hidden component that delivered hidden ads, generated fake clicks and purchases, installed malicious apps, and collected users' private information without their knowledge [85369]. This indicates a lack of professional competence in the development process, as such malicious activities were embedded within the app, potentially leading to significant privacy and financial risks for users. (b) The software failure incident related to accidental factors is not explicitly mentioned in the provided article.
Duration permanent, temporary (a) The software failure incident related to the VidMate app can be considered as a permanent failure. The app was found to have a hidden component that delivered hidden ads, generated fake clicks and purchases, installed malicious apps, and collected users' private information without their knowledge [85369]. These actions were ongoing and continuous, indicating a permanent failure in the app's design and functionality. Additionally, the app was responsible for over 128 million malicious mobile transactions on 4.8 million devices, which could have resulted in significant unwanted charges for users if not blocked [85369]. (b) The software failure incident can also be seen as a temporary failure in the sense that the suspicious activity from VidMate was first detected in 2017, but a spike in transactions was noticed late last year [85369]. This indicates that the problematic behavior of the app intensified under certain circumstances or at a specific point in time, suggesting a temporary aspect to the failure incident.
Behaviour crash, omission, value, byzantine, other (a) crash: The software failure incident related to the VidMate app can be categorized as a crash. The app was found to be hijacking smartphones by running invisible ads, installing malicious apps without users' consent, and collecting personal data, which led to the app consuming users' data allowance and costing them money [85369]. (b) omission: The software failure incident can also be categorized as an omission. VidMate was signing users up for paid services without their consent, which can be seen as the app omitting to perform its intended function of obtaining user consent before subscribing them to paid services [85369]. (c) timing: There is no specific information in the article indicating that the software failure incident was related to timing issues. (d) value: The software failure incident can be categorized as a value failure. VidMate was engaging in ad fraud by running hidden ads, generating fake clicks for monetization, and collecting sensitive user data without permission, which can be considered as the app performing its intended functions incorrectly [85369]. (e) byzantine: The software failure incident can also be categorized as a byzantine failure. VidMate was surreptitiously collecting sensitive user data without permission and connecting users to an encrypted server to sign them up for paid services, exhibiting inconsistent and deceptive behavior [85369]. (f) other: The software failure incident can be categorized as other due to the fact that VidMate was engaging in a range of deceptive and harmful activities beyond the typical definitions provided in the options (a) to (e). This includes activities such as installing malicious apps, running invisible ads, and siphoning off users' private information without their knowledge or consent [85369].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, theoretical_consequence (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving the VidMate app resulted in users being subjected to unwanted charges and data use. The app hijacked smartphones by running invisible ads, installing malicious apps, and collecting personal data without users' knowledge. This activity could lead to users incurring significant charges, with potential consequences such as users paying $100 a year in mobile data charges, and in markets like Brazil, this representing nearly half a month's work paid at a minimum wage [85369].
Domain entertainment (a) The software failure incident involving the VidMate app is related to the industry of entertainment. VidMate is a popular Chinese Android app used for downloading videos and songs from various platforms like YouTube, Dailymotion, and Vimeo, catering to users' entertainment needs [85369].

Sources

Back to List