Generic Characteristics

VivaVideo is a top-rated video editing app for Android devices that has been caught initiating premium subscription attempts, delivering invisible ads to users while avoiding detection. Since early 2019, Secure-D detected and blocked over 20 million suspicious mobile transactions, originating from the VivaVideo Android app.

If not blocked by Secure-D, every transaction attempt could have triggered premium services purchase, costing users in 19 countries over $27 million in unwanted charges.

Most of the suspicious activity took place in Brazil (over 11.5 million mobile transactions) as well as Indonesia, Egypt, and Thailand. 

VivaVideo is a freemium Android app, offering basic video production features — editing tools, effects, music overlays and more.

With the rising popularity of Instagram stories, reels and TikTok videos, VivaVideo had no issues with amassing a huge user base, lured in with simple and seemingly free video editing tools and filters. The app has over 100 million installs and a 4.2 rating on Google Play, based on over 12 millions reviews. The listed app developer, QuVideo Inc, is based in Hangzhou City, China.

Previously, the VivaVideo app came on the security radar for using spyware software components to collect user data without their knowledge as several external audits confirmed. Our investigation uncovered further problematic behaviors that the app exhibited on infected devices.

VivaVideo has long been topping the list of suspicious apps on the Secure-D index, so Secure-D’s research team jumped on the opportunity to investigate further.

Threat Behavior

Upon analyzing the initial monitor logs for the app, the Secure-D team decided to further investigate the nature and scale of the fraudulent activities VivaVideo app was performing in the background.

Secure-D researchers acquired two infected devices from real users (a Samsung Galaxy SM-G930F and a Galaxy J1 Ace SM-J111F) and placed them under scrutiny in our lab to reverse-engineer the fraud pattern.

 

Hidden premium subscription attempts

During the course of the investigation, the Secure-D team witnessed real-time subscription attempts that VivaVideo v7.3. was trying to execute without any user intervention or authorization. Secure-D found evidence of such attempts on infected devices by analyzing the network logs as pictured below:

 

Service Name: KidZone

Service URL: http://doi.mtndep.co.za/service/6307

Subscription cost: 4 ZAR/day (€0.21/day)

During subsequent monitoring, the Secured-D team also detected a fake advertisement click on an ad banner at 9:00 am, shortly followed by a subscription purchase attempt at 9:01 am. At that time the device was sitting unattended in the Secure-D lab.

(Two unauthorized sign-up attempts, detected by Secure-D researchers)

 

In this case, the service purchase attempts were attributed to an affiliate network. If the purchase was successful, the advertiser would have been charged a commission fee by the network.

 

Fraudulent mobile apps are good at curtailing activity when being monitored

During the next step of the investigation, Secure-D performed static code analysis to determine if the app ceases its fraudulent activity when the phone is rooted or when it’s being monitored via emulation or remote monitoring software.

The following code was found inside VivaVideo v8.4.2 which checks for the existence of emulation frameworks:

 

During our tests, we detected that the VivaVideo app transferred a list of installed monitoring apps to the following endpoint: https://xy-flkf-medi.kakalili.com/api/rest/s/recordapplist

 

Our findings confirmed that the app contains code snippets which check for monitoring software installed on the user’s device. VivaVideo stopped running all the suspicious background activity when the monitoring app was installed.

Fraudsters are continuously improving their tradecraft. Such code snippets are a common method fraudsters use to remain undetected when it comes to mobile ad fraud. 

VivaVideo contains a known ad fraud SDK, banned by Google

In 2018, Google conducted a major investigation into 3 malicious ad network SDKs (software development kits) and banned them from Google Play, along with the developers using them. One of the problematic SDKs was Batmobi.

Batmobi exploits user permissions to engage in click injection and click flooding — two popular ad fraud techniques, causing major advertising losses. In particular, Batmobi was found to be recording false clicks and sending them to advertisers to claim a bounty for an app install.

Our security team found that Batmobi SDK was present in earlier versions of the VivaVideo app, that are no longer available on Google Play. However, our interviews with infected device owners revealed that outdated VivaVideo app versions were frequently distributed via ShareIt, a popular transfer and sharing app. That is how the malicious SDK kept circulating among mobile users.

Android permission abuse

VivaVideo requires unnecessary user permissions 

To use the app, users are requested to authorize access to an array of sensitive information such as GPS location, currently running apps, and more:

Such permission requests are hardly necessary for a video editing application to run properly. Τypically, this type of app likely needs them to run hidden activity that is not related to the app’s core function.

Consequences on the Users

Unless prevented by Secure-D platform, VivaVideo could have continued feeding on unsuspecting customers’ prepaid airtime, mobile data and ultimately money. During the monitored period, Secure-D blocked over 20 million suspicious mobile transaction requests, originating from over 1 million infected devices across 19 countries, with VivaVideo installed. 

If not blocked by Secure-D, every transaction attempt could have triggered premium services purchase, costing users in 19 countries over $27 million in unwanted charges.

The actual fraud figure may be even higher as this estimate is based on Secure-D analysis and deployments on a small sample of total Internet traffic.

Cure

If you have VivaVideo installed on your device, head to the Google Play store and update it to the latest version.  To avoid getting played by predatory apps, Android users should always install apps from Google Play only and avoid any unverified marketplaces or direct links.

However, mobile apps coming from legitimate sources can be compromised too. Before installing anything new on your device, be sure to:

  • Check the app reviews on the marketplace and around the web.
  • Review developer details and assess their credibility.
  • Read the list of requested permissions and verify that all of them are actually needed for the app to work.