Vidmate has been installed by over 5 million users until now, lured by the promises of offline streaming. With the app, Android users could download any video from YouTube, Vimeo, and other platforms like WhatsApp, Facebook, Twitter, and so on. While it was a great service, offering users with a low or unreliable internet connection, users that had an expensive data plan a way to stream videos on mobile phones. The popular video downloading app was developed by a subsidiary of UC Web (which is owned by the Chinese tech giant Alibaba) and got very popular in Asian countries, like India.
Upstream’s Secure-D Reported VidMate as Being a Dangerous App
However, the service came with a high cost that users had no idea they were paying. According to security searchers at a mobile tech firm from London, called Upstream, VidMate had a suspicious activity. At the Upstream Secure-D security lab, researchers unveiled the suspicious activity at VidMate in their report:
“A hidden component within the app delivers invisible ads, generates fake clicks and purchases, installs other suspicious apps without consent and collects personal users’ information. Consequently, it depletes users’ data allowance and brings unwanted charges.”
The app is not available in Google Play Store but can be downloaded as an APK from various sources.
The CEO of Upstream, Guy Krief, said that whoever downloaded and opened VidMate, has surrendered “control of their phone and personal information to a third party,” adding that while users cannot see the ads displayed, the “phone and its connection become part of a botnet and are used to commit ad fraud, at the expense of its owner … and his privacy.”
The app also requests suspicious permissions, such as:
- allows the app to create windows on top of others
- allows the app to install and download other unknown apps without asking or notifying the user
- allows the app to read and write system settings
- allows the app to access the user’s device log files, which contain sensitive information.
Delete VidMate to Protect Your Privacy, Data, and Money
The Upstream report urges users to delete VidMate to remedy the issues of battery drainage, charges of premium content without the users’ knowledge, data usage and privacy breach, adding that installing apps from outside Google Play Store is dangerous:
“VidMate is a reminder of the serious dangers of installing software from sources other than the official Google Play Store. The financial and privacy risks of letting misleading and abusive apps onto your device are simply not worth it.”
Here’s a short video from Upstream on VidMate’s suspicious activity:
A VidMate spokesperson was interviewed by BuzzFeed and stated that the app has no such knowledge of the suspicious activity, but they will investigate it. The spokesperson used the name Jiatao Chen and didn’t provide basic information of the funders and executives of the app, refusing to confirm his name or title. However, he stated:
“No only do we not program such practices into our core app, we have a zero-tolerance policy because it is in VidMate’s interest to protect our users against such detrimental practices.”
Chen also added that they are investigating the issue and VidMate has terminated the relationship with a partner (Nonolive) that was included in the Upstream report.
VidMate Spokesperson about Mango’s SDK: “Vidmate will terminate relationship with and blacklist this company”
The suspicious activity began with Vidmate installing a software development kit from Mango, which loaded the hidden ads and signed up users to premium services. The activity would take place when users didn’t use their phones. One spokesperson from VidMate stated that if the “SDK really is performing ad fraud, Vidmate will terminate relationship with and blacklist this company.”
UCWeb and VidMate responded to BuzzFeed News, with a UCWeb spokesperson saying that the app and trademark were sold to a start-up called Guangzhou Nemo Fish Technology Co., in 2018 and that they are not involved in Vidmate’s operations, but have maintained a business collaboration.
VidMate’s Suspicious Activity Started Long Before It Was Sold to the Start-up
The issues with VidMate were first revealed by Upstream when the company began providing security services to mobile carriers in some developing countries, and Krief found that VidMate “was number one in terms of block attempts over the past six months” compared to other apps monitored by Upstream. Guy Krief stated that Upstream saw and blocked suspicious transactions from VidMate before UCWeb sold VidMate:
“We saw some first small volumes of suspicious transaction requests in October 2017 and it progressively ramped up until April 2018 when it then started being at a different scale.”
As a response, the UCWeb spokesperson stated in an email that they could not respond to these accusations until they see the data and all the details, adding that Upstream didn’t contact them to give them the information.
Keep your personal information safe and use trustworthy apps that you can find on Google Play Store. Alternatively, use the Lite versions of social media apps to save data.