Popular cloud storage app, 4shared, has been caught using fake ads to take users’ money without consent, according to security researchers.

The file-sharing app, which has 100 million installs on Android, is allegedly displaying secret ads and, unknowingly to users, is subscribing them to paid services. Something which is supposedly adding up to millions of dollars in un-solicited charges.

Researchers for Upstream’s security lab discovered that ads were being used to create fake videos, views, and clicks.

How it works

Speaking to TechCrunch, Guy Krief, chief executive of Upstream said: “It happens in the background…nothing appears on screen.”

The way that money is being taken is through third-party code which appears on the app and makes automatic clicks that lead to illegal purchases.

It is thought that the money is being sent over to the British Virgin Islands as 4shared is owned by New IT Solutions, who are based there.

Elephant Data

Elephant Data, a Hong Kong-based company, are the ones who built the components for the app, which automatically generates clicks that lead to the fraudulent subscriptions. Cookies are then used to presumably hide that the action has taken place.

From April, 4shared no longer appeared on Google Play and instead had been replaced by an app that was almost the exact same, just with the previous Elephant Data-built component removed.

4shared have claimed that they will no longer be working with Elephant Data. However, the components created by Elephant Data cannot be removed by 4shared, and Reddit users have commented that if the app is not updated, then data can still be collected.

Changing names

Upstream said that despite the taking down of the old app from Google Play, 100 million people were still using the old platform.

The researchers warned users of the app by saying: “Instead of appearing under its own name, it assumes the names of either existing legitimate apps (like com.chrome.beta – the new beta version of Google’s Chrome browser) or non-existing ones.”

They continued: “The app seems to be using multiple fake names at the same time which it regularly and simultaneously changes.”

Being aware of problems

Over 114 million mobile transactions were blocked by Upstream that were flagged as suspicious and coming form 4shared. These came from 17 countries and 2 million unique devices. It’s thought that overall, these unwanted transactions would add up to £118 million in airtime charges.

The investigators said that this type of fraud is a growing trend and that those downloading apps need to be vigilant when doing so, making sure to check reviews and developer details.

They said: “Mobile ad fraud is growing in frequency and sophistication. To avoid falling victim to mobile ad fraud, Android users should immediately check their phones to see if they have any suspicious apps installed. If so, they should uninstall them immediately and review any recent mobile airtime charges for possible fraud.”

As well as money, personal data was also being sent off to the British Virgin Islands. This included information such as gender, age, user ID’s, and device ID’s.