Innocent Chrome game used as cover for many tentacled Android invader

The Federal Trade Commission (FTC) has settled a case against a pair of developers who bought a nice, mild-mannered, browser-based Chrome game called “Running Fred” and turned it into the app equivalent of a spam-spewing facehugger.

As the FTC had said in its original complaint (PDF), the developers swapped out the 4.5-star rated game with their own extension, “Weekly Android Apps,” which they claimed was featured on sites like LifeHacker, MacRumors and Engadget, had been installed by 200,000 users, and provided “impartial, independent selection of apps.”

The reality: no, nope, and nosirree.

In fact, developers Ali Moiz and Murtaza Hussain, who run a software outfit called Vulcun, received payola for installing some of those apps on people’s mobile Android devices – without permission, mind you.

The apps were installed directly onto unwitting Android devices as the extension bypassed the operating system’s permissions process.

As far as the 200,000 user base and the 4.5-star ratings go, those actually belonged to the poor old parasitized Running Fred.

Weekly Android Apps opened additional windows, reset the users’ home page for their browsers, repeatedly opened new tabs or windows, and popped up yet more new windows after users closed the first unwelcome new windows.

Their cries of pain included these two users’ complaints:

This was installed automatically somehow, it has something to do with a . . . bug that has infected my Chromebook. On Chrome I have tabs opening by themselves advertising this poker and other Play Store items saying ‘click here to install on your phone.’ I have never authorized this tab. Please stop these people!!!!

I didn’t ask for this extension to be installed, and there was no notification that it was being installed, yet it just showed up in my browser! I only found out about it because Chrome informed me that it was taking over my home page! How did this happen?

Weekly Android Apps also reached its tentacles into mobile devices without permission.

Once it was installed on desktop browsers, it would redirect the users’ browsers to the Google Play Store, from which it would sniff out and click on the “Buy” buttons associated with mobile apps.

Lo and behold, the user would be surprised to find unfamiliar, unexpected apps infesting their mobile device. If a user tried to delete those apps, new ones would spring up.

Complaints from the mobile dystopia:

[It] keeps reinstalling itself. … It’s happening to my wife’s phone too. Help!

It continuously installs itself to my system without my consent no matter how many times I try to uninstall it. Others are also experiencing this. This ‘application’ might be a virus.

There was even more going on beneath the surface. And yea, the FTC said, it was kind of virusy.

The FTC said that because Weekly Android Apps secretly accepted the default Android permissions request, the apps could have gained immediate access to users’ address books, photos, locations, and persistent device identifiers.

It all adds up to conduct the complaint (PDF) alleged to be unfair under the FTC Act.

From the FTC’s press release:

By bypassing the permissions process in the Android operating system, the apps placed on consumers’ mobile devices also could have easily accessed users’ address books, photos, location, and device identifiers.  Indeed, once installed, the apps could have gained further access to even more sensitive data by using their own malicious code…

Under the terms of the settlement (PDF), the defendants will be required to:

  • Tell consumers about the types of information that will be accessed and how it will be used
  • Display any built-in permissions notice associated with installing a product or service
  • Get express affirmative consent before installing or materially changing a product or service.

The settlement also prohibits the developers from cooking up third-party endorsements or media coverage; from misrepresenting how users’ personal data is collected and used; from misrepresenting how much control users have over the collection, use or sharing of their data; or from obscuring the extent to which they maintain the privacy or security of users’ information.

If Vulcun violates any of the settlements terms, it could face further complaints and fines from the FTC.

FTC consumer protection bureau director Jessica Rich:

After Vulcun acquired the Running Fred game, they used it to install a different app, commandeer people’s computers, and bombard them with ads.

We’re very pleased we were able to stop these practices.

UPDATE: On Tuesday, 9 February, Hussain published a blog post with Vulcun’s side of the story. Among other things, he clarified that the FTC didn’t “stop these practices,” given that the developers had themselves, in response to complaints from about 20 customers, stopped what they said was their first and only paid app promotion.

Hussain also says that counter to the FTC’s claims, Vulcun’s apps were opt-in. The complainers must have forgotten that they’d opted in, he said:

[S]ome people will always forget the[y] opt’ed in and get su[r]prised when they receive the app.

An FTC spokesman told me that the agency stands behind the facts as stated in the complaint and settlement. However, given that it didn’t stop anything, the FTC has updated its press release to change the quote from consumer protection bureau director Jessica Rich. The agency swapped the phrase “stop these practices” for “prohibit these practices going forward,” to reflect the fact that it took steps to ensure that Vulcun doesn’t repeat the alleged actions.