Written by James Orme Thu 4 Jul 2019

4shared was covertly generating fake clicks and purchases, and sending personal data to servers in the British Virgin Islands

Researchers working for Upstream’s security lab have discovered that a popular cloud storage app has been triggering and hiding suspicious background activity.

4shared, which has over 100 million downloads, has been delivering ads to users that generate fake views, clicks and purchases, and reporting fraudulent engagement metrics back to advertising networks.

The service is developed in Ukraine by IT firm New IT Solutions, which set up the secretive scam so that users were none the wiser to the malicious activity taking place under their noses.

Suspicious transactions

The researchers discovered the operation after blocking more than 114 million suspicious mobile transactions originating from 4shared from 2 million unique devices across 17 countries. The transactions could have cost users up to $150 (£118) million in unwanted airtime charges from non-initiated subscriptions to digital services, the researchers said.

In addition to unwanted charges, the app was transferring users’ personal information, including device ids, user ids, age and gender to servers in the British Virgin Islands and the US.

On 17th April, 4shared replaced the app on the Google Play store with a new version free from malicious code. But the company continues to support the affected version, still used by 100 million users, while attempting to mask its own identity, Upstream said.

“Instead of appearing under its own name, it assumes the names of either existing legitimate apps (like com.chrome.beta – the new beta version of Google’s Chrome browser) or non-existing ones,” the researchers said.

“The app seems to be using multiple fake names at the same time which it regularly and simultaneously changes (see graph below).”

Upstream cautioned that mobile ad fraud is growing in frequency and sophistication. The company advises Android users to only install apps via Google Play and not before checking reviews, developer details and requested permissions.

“Mobile ad fraud is growing in frequency and sophistication. To avoid falling victim to mobile ad fraud, Android users should immediately check their phones to see if they have any suspicious app installed. If so, they should uninstall it immediately and review any recent mobile airtime charges for possible fraud,” the researchers said.