A scareware campaign has been uncovered that pushes a ‘free’ VPN app called MyMobileSecure to iOS users via rogue ads on popular torrent sites. The VPN app itself appears to be real—but researchers say its privacy policies are dubious, at best.
The first interesting thing is the malvertising campaign that’s pushing the app. When using iPhone to visit certain sites, a pop-up page plays an ear-piercing beeping sound and claims the device is infected with viruses.
According to Malwarebytes Labs, the verbiage is almost hysterical: “We have detected that your Mobile Safari is (45.4%) DAMAGED by BROWSER TROJAN VIRUSES picked up while surfing recent corrupted sites.”
Clicking the pop-up takes a person to a fake website advertising the MyMobileSecure VPN, which, it says, will remove “infected applications and files”. Tapping on ‘Remove Virus’ button opens up the App Store to download the app.
“Such alerts on mobile devices are not new and sadly commonplace via may ad networks these days,” said Malwarebytes researcher Jérôme Segura, in a blog. “Usually, aggressive affiliates remunerated per lead will use these kinds of tactics to drive traffic to game apps or even tech support scams.”
From there it gets dicier. In order to activate the free VPN app, users must join the MobileXpression research community. Doing so is the legal equivalent of “opting in” to the company’s privacy policy, which notes that it will be collecting all kinds of information about the user.
“According to their website, MobileXpression is a market research panel designed to understand the trends and behaviors of people using the mobile internet,” Segura said. “This seems a bit peculiar when applied to a VPN product, whose goal is to precisely anonymize your online activity by encrypting your data from your ISP, government, bad guys, etc.”
In the privacy policy, MobileXpressions says that it may obtain “your contact information and some basic demographic information about you using a questionnaire, information from companies through which you obtained or inquired about this program, or the application that you install onto your mobile device and allow to track your Internet usage.”
That tracked “internet usage” information may involve: “messaging services, mobile web browsing activity, usage and titles of downloaded applications and files as well as usage of cameras, video streaming and other utilities on the mobile device as well as usage times for certain device activities (e.g., text messaging, call lengths, and web browsing).”
The policy also states that it will send the user surveys and questionnaires.
“Often times, affiliates are not properly policed and we observe scare tactics to force the installation of various pieces of software,” Segura said. “It’s important to note that those affiliates are normally distinct from the software vendors themselves, but scammy behaviors end up reflecting poorly on everyone.”
In this particular case, “one cannot help but feel that this VPN application comes with some serious baggage and unfortunately the average user will not take the time to review the fine details. If the intent is to use a VPN to anonymize your online activities, this does almost the opposite,” he added.