VivaVideo is one of the biggest free video editing apps for Android, with at east 100 million installs on the Play store. Unfortunately, the app also has a history of malware: in 2017, it was mentioned as one of 40 apps suspected of spyware in a country-wide advisory for all Indian military and paramilitary troops, with a recommendation to delete the apps immediately.
This video editing app also asks for a wide host of dangerous permissions, including the ability to read and write files to external drives, plus the user’s specific GPS location (which is definitely not needed for a video editing app).
VivaVideo is developed by QuVideo Inc (operating as VivaVideo), a Chinese company based in Hangzhou. This app developer also creates SlidePlus (1M installs), with similarly unnecessary dangerous permissions, plus a paid version of VivaVideo. While it may seem that QuVideo has only 3 apps on Play, we found 5 total apps within its network.
On Apple’s App Store, we see that QuVideo actually develops 4 apps – VivaVideo and SlidePlus, in addition to the apps VivaCut and Tempo. These last two apps are published on Play under different developer names, hiding their connection to QuVideo Inc.
Beyond that, we discovered that QuVideo also owns the popular Indian app VidStatus, which has more than 50 million installs on Play. VidStatus, which is a “video status” tool for WhatsApp, asks for a whopping 9 dangerous permissions, including GPS, the ability to read phone state, read contacts, and even go through a user’s call log. The app was also identified as malware by Microsoft, containing a Trojan known as AndroidOS/AndroRat. These kinds of trojans can steal people’s bank, cryptocurrency or PayPal funds.
QuVideo does not officially claim VidStatus, VivaCut or Tempo on the Play store. Another major Indian social video app related to WhatsApp, known as ShareChat, has three suspicious connections to QuVideo, including having the same API key within the app file (APK), similar homepages and URL structures.
Because of this history of malware and active trojan, and that QuVideo hides its connection with some of their apps, we recommend users practice caution with any of these apps. In general, if users find that these QuVideo apps provide no real benefit, we recommend deleting them from their phones as soon as possible.
- QuVideo Inc is a Chinese company that also operates under the names XiaoYing and Hangzhou Zhuying Technology Co., Ltd. The 5 apps in the QuVideo network have at least 157 million installs
- QuVideo’s VivaVideo app was identified as spyware by the Indian intelligence community in 2017
- Another app from the QuVideo network, VidStatus with 50 million installs, was identified by Microsoft for containing a remote access Trojan known as Android/AndroRat
- VidStatus requests 9 dangerous permissions, including reading phone state, GPS, video and audio, and more, while the Tempo app unnecessarily asks for 4 separate location permissions
- 2 of the apps ask for BACKGROUND LOCATION and ACCESS LOCATION EXTRA COMMANDS, which can give the app even more data about the user’s location
- Apps are requesting 2-9 dangerous permissions, with an average of 5 dangerous permissions
QuVideo’s known and unknown apps
On the Play Store, VivaVideo lists its app developer as “QuVideo Inc. Best Video Editor & Video Maker App.” Under this developer, there are three apps on Play:
- VivaVideo PRO Video Editor HD
- SlidePlus – Photo Slideshow Maker
Taken together, those apps have more than 101.5 million installs.
The iOS version of ViVaVideo lists its app developer as QuVideo Inc. On the App Store, QuVideo Inc. has four apps – two from above (VivaVideo and SlidePlus) and two new ones:
- Tempo – Music Video Maker
- VivaCut – Pro Video Editor
Furthermore, on the English language version of its website (vivavideo.tv), QuVideo simply lists its company name as “VivaVideo”. However, on the Chinese language versions of its site (for both quvideo.com and xiaoying.tv), it goes by Hangzhou Zhuying Technology Co., Ltd.
There are two interesting things about Hangzhou Zhuying Technology Co., Ltd.
- According to this press release, it is listed as a “Chinese commercial vehicle automated driving solution provider”. Also, at some point in the past it changed its name to Fabu Technology Limited.
With all of this information combined, we can see that there are in fact six apps within the QuVideo family, and not three as in Google Play’s QuVideo listing:
- VivaVideo PRO Video Editor HD
- SlidePlus – Photo Slideshow Maker
- Tempo – Music Video Editor with Effects
- VivaCut – Pro Video Editor APP
- VidStatus – Status Videos & Status Downloader
These apps have more than 157 million installs combined. But the number is likely much bigger — while VivaVideo’s Google Play page shows it has 100 million+ installs, its About Us page shows that it already has 380 million users worldwide:
It’s also important to state that the install number is probably even bigger than 437 million, since Apple’s App Store doesn’t provide install numbers. However, SensorTower data shows that QuVideo had 3 million installs in April for all its iOS apps (plus a revenue of $2 million for just that month):
However, there’s one other app we feel we should mention.
QuVideo and ShareChat
ShareChat – Make Friends, WhatsApp Status & Videos is a video app that’s very popular in India and similar in function to QuVideo’s VidStatus. As of May 2020, ShareChat had at least 100 million installs on Play alone (and doesn’t seem to have an iOS version).
In analyzing ShareChat and QuVideo’s apps, we noticed three suspicious similarities.
First, the APK files for various QuVideo apps have an exposed API key for Google’s Safe Browsing feature. API keys are supposed to be unique for each app, although in some bad practices they are used across multiple apps from one app developer. Here’s one exposed key for VivaVideo:
ShareChat has the same API key:
Second, QuVideo’s VidStatus homepage and ShareChat’s homepage look remarkably similar:
Lastly, both VidStatus and ShareChat have similar URL structures for navigating to their company page, to find out more about the product:
Beyond that, both the Indian branch of QuVideo Inc. (based on the address listed on the VidStatus site) and Mohalla Tech are based in Bengaluru in India. In fact, they’re just a 15-minute drive away from each other:
However, we have not been able to confirm the connection between ShareChat’s makers – Mohalla Tech Private – and QuVideo Inc/Hangzhou Zhuying Technology Co., Ltd.
We reached out to the Mohalla Tech Private and QuVideo Inc teams for comment on these similarities, but they haven’t responded to our requests yet. We will update here if we receive any response from them.
History of malware and other dangers
Two QuVideo apps have a history of malware or other dangers.
First, there’s the most popular app, VivaVideo, which in 2017 was identified by the Indian government as being spyware or malware. The information comes from several Indian intelligence agencies like the Research and Analysis Wing (RAW) and National Technical Research Organisation (NTRO). They advised that all military members delete this and 41 other apps from their phones immediately for fear of Chinese espionage.
Secondly, as part of our app analysis we run the APKs (app files) through a virus scan on VirusTotal, which is an online service that aggregates many antivirus products and online scan engines. When we checked VidStatus on VirusTotal, it came back positive:
Microsoft analysis identified VidStatus’ app as having the Trojan:Android/AndroRat. According to F-Secure, this is a remote access tool that is “embedded into a ‘carrier’ app (essentially trojanizing). Once the app is installed onto a device, the embedded RAT allows a remote attacker to control the affected device.”
We asked the VidStatus team for specific comment on this RAT issue, but they haven’t responded yet. We will update here if and when they respond to our request for clarification.
The dangerous permissions they’re asking for
Let’s take a quick look at the dangerous permissions that these apps are asking for:
|Dangerous permission||No. requested||Permission description|
|READ_EXTERNAL_STORAGE||5||This allows the app to read through your saved files, including system logs, other apps’ files, etc.|
|WRITE_EXTERNAL_STORAGE||5||This allows apps to upload files to users’ device storage.|
|ACCESS_COARSE_LOCATION||3||This permission allows apps to gather a user’s general location via wifi and/or mobile cell data.|
|ACCESS_FINE_LOCATION||3||This presents a high risk to privacy, since most apps don’t seem to need it at all. This permission allows apps to use GPS, cell data and/or wifi to get a user’s precise location.|
|CAMERA||3||This gives apps permission to access the device’s camera.|
|READ_PHONE_STATE||2||This permission allows apps to gather information about a user’s phone: the phone number, cellular network information, connected registered phone accounts, and status of ongoing calls.|
|RECORD_AUDIO||2||This allows any app to record audio and store that audio either on the device or on the app servers.|
|ACCESS_BACKGROUND_LOCATION||1||This allows the app to have constant access to your location, even if the app is not in use.|
|READ_CALL_LOG||1||This allows apps to read the user’s call history.|
|READ_CONTACTS||1||This allows apps to look through your phone contacts.|
As you can see, all 5 apps that we analyzed (we didn’t look at the premium version of VivaVideo) asked for the ability to scan through and edit files on the external SD card. This means that these apps will be able to look at any files you have stored there, as well as upload its own files or make other changes to files saved there.
Beyond that, it is interesting that, although all apps are related to video or video editing, only 3 of these 5 apps request camera permissions, while only two require audio access.
Lastly, these apps are – unnecessarily – requesting access to users’ exact locations. Even more, one app – the Tempo music editor – wants to access users’ background location data. The background location dangerous permission allows an app constant access to a user’s location, even when they’re not using the app.
This app, Tempo, also asks for the permission to access extra location commands (android.permission.ACCESS_LOCATION_EXTRA_COMMANDS), which allows for additional location demands. While they’re fairly technical in nature, according to the Android Permissions blog, this could be used maliciously “to interfere with the operation of the GPS or other location sources.”
QuVideo’s three riskiest apps
Out of all of these apps, there are three QuVideo apps that are the most risky in the types of permissions they’re requesting.
|App Name||No. of dangerous permissions||App Permission name|
|VidStatus – Status Videos & Status Downloader
Google Play installs: 50 million
|VivaVideo: Video Editor & Video Maker
Google Play installs: 100 million
|Tempo – Music Video Editor with Effects
Google Play installs: 500,000
First is VidStatus, which here asks for 9 total permissions. This includes the reading and writing to external storage, as well as the ability to read through users’ contacts, their call logs, access their camera, turn their microphone on and off, check the state of their phone, and get their GPS coordinates. This app, by the way, was one identified by Microsoft as containing a remote access trojan.
The next riskiest app is QuVideo’s flagship app, VivaVideo, which has at least 380 million installs. While it does ask for fewer dangerous permissions, these are still risky, seeing as some of these – like the location permissions – are absolutely unnecessary. Furthermore, it’s important to remember that this app was identified by the Indian intelligence community as being spyware.
Lastly, there’s Tempo that I discussed above, which asks for four total location-related permissions (three of them labeled ‘dangerous’) in addition to the storage requests: It’s also important to note that Google Play’s policies restrict use of the background location permission to “apps that need it for their core functionality” – and a video editor does not meet that requirement.
The risks of unnecessary dangerous permissions
When looking at these apps and the requested dangerous permissions in general, it’s important to understand the risks and what QuVideo might be doing.
Data for money
The most obvious, and most likely, reason that any app developer for a free app would be requesting so many unnecessary dangerous permissions is to sell your information to data brokers.
One of the most lucrative data types is your location data. Using such permissions like Tempo is asking for – four different location permissions – can allow apps to send your location data up to 14,000 times per day, even when you’re not using their apps. This data can net app developers a good sum of money, with some data brokers paying $4/month for every 1,000 active users.
Using that rate, and estimating 5% of QuVideo’s total installs being monthly active users (MAUs), that comes out to more than $30,000/month:
157 million x 5% MAUs x $4/1000 MAUs = $31,400 per month
This revenue may be in addition to SensorTower’s estimated $2 million per month QuVideo is making from its iOS apps.
Other illegal uses
However, there’s always the possibility that there are more malicious things happening in the background. Out of the 5 confirmed apps within the QuVideo network, two have a known history of malware: one spyware, and another a remote access trojan.
Considering that, it’s worthwhile to note that other unethical app developers have used dangerous permissions such as launching ransomware against their own users, or selling personal data on the black market.
In general, there are some important considerations users need to be mindful of when looking at apps within the QuVideo network:
- They have a history of spyware and active remote access trojans
- They’re requesting a large amount of unnecessary dangerous permissions
- They are for the most part located in privacy-unfriendly China
We’ve discussed the first two points already extensively, so let me take this moment to look at the third: China.
While most of these QuVideo apps are transparent in their Chinese location, we found that VidStatus lists itself as being based in India, while VivaCut has a Hong Kong address on their respective Play pages. While these are true to an extent, they may not be perfectly transparent in their connection to China.
Chinese apps are not inherently dangerous or bad. However, the Chinese government has shown itself, time and again, to not care for user privacy. This includes the Great Firewall, its new social credit system, and of course its strict data retention laws, which require not only that servers carrying user data be hosted in China, but that those servers provide unfettered access to Chinese authorities.
Therefore, there’s a high risk that any user data processed by Chinese companies will be accessible to Chinese authorities. And that’s a risk that needs to be taken into account. It’s for this reason that US Rep. Jim Banks of Indiana is proposing legislation that would force app stores to put a warning label on apps coming from countries like China that pose security risks for Americans.
Finally, there are ways to mitigate these risks, such as not granting the dangerous permissions these apps are requesting. However, some normal permissions like the “location extra commands” are not granted by the user, and therefore it can’t be revoked by the user.
Alternatively, if users still don’t feel comfortable with this, they always have the option to delete the apps entirely.