Vulcun, the esports fantasy betting company that recently laid off about a quarter of its staff, hits headlines again with an even bigger scandal. Last Friday, the FTC released a report charging the company with repurposing an Android gaming app into their own private ad delivery system onto the mobile devices of more than 200,000 users.

It all began in 2014, when Vulcun acquired Running Fred, a popular browser game extension played by more than 200,000 users. Shortly after, Vulcun replaced the extension with their own software, called “Weekly Android Apps” and “Apps by Cindy.” The users of Running Fred were not notified about the replacement, though. Not only did Vulcun use the software to advertise and distribute its browser extensions, the company also inaccurately claimed that its software was reviewed by prominent tech sites and received high ratings.

[perfectpullquote align=”full” cite=”” link=”” color=”” class=”” size=””]After Vulcun acquired the Running Fred game, they used it to install a different app, commandeer people’s computers, and bombard them with ads,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection.[/perfectpullquote]

Persons concerned reported that the browser extension was opening multiple tabs and windows on their browser advertising various apps. Others complained about the installation of apps on their mobile device without their permission, noting that the apps would reinstall themselves even when deleted. The FTC’s complaint charges that Vulcun’s actions unfairly put consumers’ privacy at risk. By bypassing the permissions process in the operating system, the apps placed on consumers’ mobile devices also could have easily accessed users’ address books, photos, location, and device identifiers.

[perfectpullquote align=”right” cite=”” link=”” color=”” class=”” size=””]The apps would reinstall themselves even when deleted.[/perfectpullquote]

Indeed, once installed, the apps could have gained further access to even more sensitive data by using their own malicious code, according to the complaint. Under the terms of the settlement, Vulcun is now forced to inform the consumers “how [the software] will be used, display any built-in permissions notice associated with installing a product or service, and get users express affirmative consent before the installation or material change of a product or service.”

Furthermore, Vulcun had to take back that their product has been endorsed by third-parties or been covered by the media.

While the incident has no direct relation to Vulcun’s core business, the practice leaves a sour taste. It is another blow to a company that started of with lots of premature praise.

UPDATE: Vulcun has issued a response to the FTC report, in which it claims multiple inaccuracies. First, Vulcun claims that it did indeed have an opt-in to the app update which allowed for downloading of apps, counter to the FTC’s claim that this was done without users’ permissions. Vulcun explains this by stating that users had forgotten they agreed to the new terms. Additionally, Vulcun claims that it did not spam ads to its users, and that it shut down the program nine months prior to the FTC investigation, countering the FTC’s claim that it stopped the practices. Vulcun furthermore charges the FTC with violating its own policies: