Here we go again—another popular Android app caught defrauding users on a huge scale. This is familiar territory now, although the numbers get bigger and more onerous. The app this time is SnapTube, a video downloader that lets users select YouTube and Facebook videos to play offline. The app’s developers claim more than 40 million users, and it has been installed many more times that that. The problem, it seems, is that while users are enjoying those videos, the app’s software is busy doing other things in the background—essentially defrauding both users and advertisers to generate material financial returns.
The disclosure against SnapTube has been made by researchers at Upstream, who say that their Secure-D platform detected and blocked “more than 70 million suspicious mobile transaction requests” from SnapTube installs on 4.4 million devices. And this was all inside a six-month period. Such fraud tends to run in bursts, and the team seems to have been monitoring the app at the right time.
According to Upstream, “SnapTube has been delivering invisible ads, generating non-human clicks and purchases… The ads are hidden from users as they do not appear on-screen.” Generating returns from adware or click fraud is one thing, but the report claims that SnapTube has gone further, to the triggering of premium calls and texts, and subscribing users to paid services. Upstream has calculated that this fraudulent purchase of “premium digital services” would have cost users up to $91 million.
SnapTube was developed by China-based Mobiuspace—which has pushed various apps onto Google’s Play Store. SnapTube, though, hasn’t made the Play Store grade. YouTube’s parent Google doesn’t appear too keen on video downloader apps for obvious reasons. But Mobiuspace still claims 40 million active users who have installed the app from third-party stores.
Upstream’s CEO Guy Krief described SnapTube as “literally a screen for the suspicious background activity. Under test conditions we found not just background advertising click fraud, but also countless examples of users being signed up for premium digital services or subscriptions even when the phone is not in use. No notifications appear on the screen whatsoever and the user has absolutely zero control.”
Upstream says it discovered SnapTube’s activities when the team observed “extremely huge volumes of suspicious transactions originating in multiple countries coming from the same Android application.” The team intercepted “subscription verification SMS messages” being sent to the devices infected with the SnapTube malware—part of the process to fraudulently purchase new subscriptions without any user knowledge.
With suspicions aroused, the team isolated the infected devices and monitored inbound and outbound network traffic. The analysis showed that SnapTube “was communicating with a command and control server to identify subscription services, then attempting to subscribe the end-user to those services.”
SnapTube has attributed the malicious activity to the Mango SDK buried within its app, software that was implicated in a previous malware campaign centred on the video app, Vidmate. In a statement published by TechCrunch, a SnapTube spokesperson claimed the malware had operated without SnapTube’s knowledge. “We didn’t realize the Mango SDK was exercising advertising fraud activities, which brought us major loss in brand reputation—we quickly responded and terminated all cooperations with them. The versions on our official site as well as our maintained distribution channels are free of this issue already.”
There were other patterns linking the two campaigns, and when Vidmate was exposed much of the SnapTube activity ceased. But only for a time. SnapTube has been implicated before in these kinds of activities. The team at Sophos disclosed fraudulent installs, ads and clicks in a report published in February. “When running SnapTube,” Sophos explained, “it generated more than 200 network connections in fewer than 120 seconds, with no user interaction whatsoever. The network traffic shows the app downloads additional ad plugins, sends device info and personal info to remote websites, and generates sneaky redirects.”
The advice from Upstream’s Krief is for users “to carefully watch phone bills and report to their operator any subscriptions or charges they did not authorize. Upstream advises users to delete an app from their phones if they see signs of irregular activity pointing to a suspicious application consuming data in the background.”
My advice would be to go a step further, if you have SnapTube installed on your device and assuming those offline YouTube or Facebook videos are not something you cannot live without, then delete the app. History shows that once an app turns bad, the genie rarely jumps back into the bottle.