There are a plethora of Android apps that allow you to download videos and music files from popular websites such as YouTube, Instagram, Facebook, and more. Since doing that isn't exactly legal or sanctioned by Google, these applications live completely outside the Play Store, which means they lack any substantial malware protection. Some apps take advantage of this, and popular third-party downloader Snaptube turns out to be one of those. Security platform Secure-D has found evidence of fraudulent advertisement clicks in the background and unwanted, automatically created subscriptions which the owner of the phone has to pay for.

After hearing reports of users receiving unwanted, spammy subscriptions on their phones, Secure-D launched an investigation and found that they originated from clicks performed by the third-party SDK Mango. It is part of Snaptube and has been used for ad fraud in another app from the same developer, Vidmate. The program communicates with a command and control server from which it retrieves advertisements and subscription services, which it tries to sign up users for. With the help of JavaScript code and hidden webviews, it would also click through advertisements to generate further fraudulent revenue for the developers.

Snaptube was launched in 2014 and is developed by China-based Mobiuspace, which also offers a few apps on the Play Store. Hopefully, those are not affected by malware. We reached out to the developer for comment, but haven't heard back so far.

Clarification: A previous version of this article stated that the company behind the app was called Mobiusspace (two s) while it's actually Mobiuspace (one s). We've updated the post to correct this.

UPDATE: 2019/10/23 12:49am PDT BY MANUEL VONAU

Mobiuspace states third-party SDK is to blame, has since pulled it from the app

Snaptube developer Mobiuspace issued a statement saying the third-party Mango SDK was solely to blame for the fraudulent subscriptions and ad clicks. It identified and removed the kit back in August, and says it sent out notifications and in-app information asking users to update to a more recent version. Mango SDK is the same software Secure-D found to cause rogue behavior in Mobiuspace's other app Vidmate back in May, so it's staggering the company has only now removed it from Snaptube.

Read the statement below:

We recognize the malware issue around Snaptube app from the source of Upstream (https://www.upstreamsystems.com/fraud-alert-popular-video-app-snaptube-needs-careful-watching/). We are reaching out to provide further clarification. Recently, news broke out about suspicious activity in Snaptube, related to our collaboration with a third party known as Mango SDK, which allowed fraudulent ad practices that run against our beliefs and commitment with our users.

Since August 16th, the date we noticed the issue directly relate to this third party SDK, we took immediate actions and released an update which took Mango SDK off in the subsequent versions, as well as sent out notifications to all users to update to the latest version through in-app pushes and notifications.

In addition, there are many small channels & developers promote old versions of our apk or even counterfeit versions of Snaptube, which we could not regulate or control. We re-emphasized through various social media channels that the current versions downloaded from our official site (https://snaptube.com and https://snaptubeapp.com) and a few other main third party app stores (such as UptoDown & Aptoide) in which we personally maintained are covered in the update.

While we regret that the epidemic of the fraud activity may not get down to an absolute zero after multiple actions took to disassociate the SDK’s influence over existing users, partly may due to that SDK is running in the background of those users who haven't yet updated.

We firmly believe in our core value of “create value for users”, and having SDKs that endangering our users are something we couldn’t tolerate ourselves. We’ve decided to take our step furthermore to offline all third party advertising SDKs to avoid further complications, we are also looking to take initiative to achieve potential collaboration with security monitoring company like Upstream to constantly monitor our app to prevent similar issues.

Source: Secure-D