VivaVideo, “Spyware” App Maker, Contains Remote Access Trojan and Requests Dangerous App Permissions

A new report focuses on how VivaVideo, one of the biggest free video editing apps for Android, with at east 100 million installs on the Play store, is a Chinese "spyware" app. The app asks for a wide host of dangerous permissions, including the ability to read and write files to external drives, plus the user’s specific GPS location (which is definitely not needed for a video editing app), claims VPNpro.

According to VPNpro, VivaVideo has a history of malware. In 2017, it was mentioned as one of 40 apps suspected of spyware in a country-wide advisory for all Indian military and paramilitary troops, with a recommendation to delete the apps immediately. The app in question is developed by QuVideo Inc., a Chinese company based in Hangzhou, which also creates SlidePlus (1M installs), with similarly unnecessary dangerous permissions, plus a paid version of VivaVideo. In addition, VPNpro found 5 total apps within its network.

On Apple’s App Store, VPNpro noticed that QuVideo actually develops 4 apps – VivaVideo and SlidePlus, in addition to the apps VivaCut and Tempo. These last two apps are published on Play under different developer names, hiding their connection to QuVideo Inc., notss VPNpro.

Beyond that, VPNpro discovered that QuVideo also owns the popular Indian app VidStatus, which has more than 50 million installs on Play. VidStatus, which is a “video status” tool for WhatsApp, asks for 9 dangerous permissions, including GPS, the ability to read phone state, read contacts, and even go through a user’s call log, notes VPNpro. The app was also identified as malware by Microsoft, containing a Trojan known as AndroidOS/AndroRat. These kinds of trojans can steal people’s bank, cryptocurrency or PayPal funds, claims VPNpro, and QuVideo does not officially claim VidStatus, VivaCut or Tempo on the Play store. A major Indian social video app related to WhatsApp, known as ShareChat, has three suspicious connections to QuVideo, including having the same API key within the app file (APK), similar homepages and URL structures.

Because of this history of malware and active trojan, and that QuVideo hides its connection with some of their apps, VPNpro recommends users practice caution with any of these apps. In general, if users find that these QuVideo apps provide no real benefit, VPNpro recommend deleting them from their phones as soon as possible.

Hank Schless, Senior Manager, Security Solutions at Lookout, notes that many permissions requested by apps, such as access to location data or local files, could violate some privacy regulations, and do conflict with internal and external for many businesses. "Organizations should have a way to understand the permissions being requested by apps across their mobile fleet and blacklist apps that ask for certain permissions. For example, a healthcare organization that allows employees to use tablets to access patient data should also block any apps that request access to the device’s address book in case that could violate HIPAA," says Schless.

"A big problem is that people don’t often review app permissions before sharing personal data with an app developer," adds Schless. "For both consumer and business use, there should be mobile security on that device that provides a singular view of apps that have access to personal data.”

For more information and detailed findings, please visit https://vpnpro.com/blog/chinese-app-maker-requests-dangerous-app-permissions/

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.