Popular cloud storage app hides a rather nasty surprise

Mobile technology company Upstream has discovered that the popular app 4shared has been triggering suspicious background activity on Android devices by delivering invisible ads, generating fake clicks and carrying out purchases of premium digital services while reporting real views, clicks and purchases to ad networks.

The firm's security platform, Secure-D, managed to detect and block over 114m suspicious mobile transactions initiated by the app originating from 2m unique mobile devices across 17 countries.

If Upstream had not blocked these transactions, they would have subscribed users to premium digital services, potentially costing them up to $150m in unwanted charges. The suspicious activity, which is still ongoing, is mostly centered in Brazil while Indonesia and Malaysia were the other top affected markets.

Upstream's CEO Guy Krief provided further insight on the company's discovery, saying:

“The growing sophistication of disguised malware in the form of seemingly benign and quite often very popular applications together with the scale of the issue can no longer be ignored. No entity in the mobile ecosystem remains unaffected. From app developers, ad networks and publishers, to advertisers malware is putting a dent in both their credibility and earnings. Mobile operators, more often than not, are taking the blame while consumers not only remain widely unprotected and unwarned but are called to foot the bill. Mobile ad fraud, a $40 billion industry, will reign unchallenged unless increased mobile security rises up in the industry’s priority list”.


4shared is a popular and highly-ranked Android app that allows users to store and share video and audio files. The app has generated over 100m downloads on the Play Store and is ranked second in its category in Austria, 7th in Italy and 10th in Switzerland.

Back in April of this year, the app was abruptly removed from the Play Store and the replaced the following day. Instead of updating the app, its developers submitted an entirely new app which kept the original 4shared icon. The new app has already been downloaded over 5m times and it does not contain any of the code responsible for the suspicious activity. However, over 100m users who installed the old version of 4shared remain affected.

The Secure-D investigation found that the old 4shared app contains Software Development Kits (SDKs) with embedded and obfuscated hard-coded links to Command & Control servers that access online ads via a series of redirections. A JavaScript file is then downloaded by the app that triggers automated clicks and sets cookies to determine whether a “click” has already been made for a specific ad in the past.

The app also sends personal data to several servers located in the British Virgin Islands and the US after receiving user consent. Secure-D also discovered that 4shared is attempting to mask its identity while conducting suspicious activity by assuming the names of legitimate apps.

If you have 4shared installed on your device, it is recommended that you uninstall it immediately and those who wish to learn more about the incident can read the full report on the investigation.

No comments yet.

Leave a Reply

in development