Brief - The Hustle

One of Android’s biggest apps was caught making purchases for users without consent

Written by Wes Schlagenhauf | Jun 30, 2020 9:32:37 AM

Security researchers at Upstream say the media file-sharing service 4shared is running invisible ads and subscribing users to paid services without their knowledge, TechCrunch reports.

Upstream says the app used suspicious “3rd-party” code that is “directly responsible” for automating clicks and setting cookies (the internet kind) as bread crumbs to keep track of which devices have been used to make purchases — a scheme that could be costing users millions of dollars.

The Elephant (Data) in the room

Hong Kong-based Elephant Data is the mysterious 3rd party that built the component — a company that bills itself as a “market intelligence” solution designed to “maximize ad revenue,” on its, uh, rather nefarious-looking website.

The ad firm didn’t respond to our request for comment, but a spokesperson for 4shared confirmed with TechCrunch that the company was unaware of any sneaky purchasing, and no longer uses Elephant Data services in its app.

Problem is…

4shared wasn’t allowed to push an update to users before the app was resubmitted for approval, so the company couldn’t fully remove Elephant Data’s software from users’ devices.

A platform with 10m users and 100m installs…

2nd time in 2 months

In May, BuzzFeed reported similar behavior from a different trigger-happy fraud shopper on the Android App store with the Alibaba-backed video app VidMate.