SnapTube discovered faking ad clicks and defrauding 40M users

Photo by Rami Al-zayat on Unsplash

Cybersecurity researchers have flagged more than 70 million advertising clicks submitted by the popular video downloading app called SnapTube because those clicks were apparently non-human, practically defrauding their users and the advertising platforms that pay them for the clicks in the ads in the app.

Secure-D, the cybersecurity leg of Upstream, said that they have detected and blocked more than 70 million suspicious mobile transaction requests from SnapTube. They noted that these transactions are being reported as real ad views, clicks, and conversions, when, in fact, they are non-human clicks.

The report reveals that SnapTube has been faking ad impressions using malware known as Mango SDK (com.mgo) that hides the ads from users. The researchers said that the ads are hidden because users won’t be able to see them on-screen. The Mango SDK (com.mgo) has also been spotted in the malvertising campaign launched by another video downloading app, Vidmate, in the past.

Launched in 2014, SnapTube is an Android application that allows users to download videos and audio files from popular video and music streaming sites, and even social networking apps. It has been developed by China-based Mobiuspace and claims that it has at least 40 million active users around the world. Snaptube is available from third-party app stores like,, and UC 9Apps.

Through the investigation made by the cybersecurity researchers from Security D, more than 70 million fraudulent mobile transactions originating from at least 4.4 million unique devices in the past six months. The researchers highlighted that if these transactions were not blocked, they could have triggered the purchase of premium digital services in SnapTube. This means that users will be charged for a subscription fee without their knowledge, which would sum up to a total of $91 million in unwanted premium charges.

Screenshot of subscription confirmation SMS without user action from SnapTube. Photo: Secure-D by Upstream

In the report, the researchers said that the operation is still on-going, which means that in order for people to avoid falling victim to this malvertising campaign, they should uninstall the app immediately. Most of the suspicious activities originated from devices in Egypt, Brazil, Sri Lanka, South Africa, and Malaysia, the Secure-D said.

“Static and behavioral analysis showed that Snaptube was communicating with a command and control (C&C) server in order to identify subscription services, then attempting to subscribe to the end-user to those services. The returned data is encrypted and compressed using the gzip algorithm,” explains the researchers.

The infected devices which have Snaptube installed into it was found to contain SDK frameworks with obfuscated hardcoded strings related to advertising services with some objects containing advertising offer URLs that could be triggered to perform automated clicks.

The discovery made by the researchers is emblematic of how dangerous it is to use applications that are only downloadable from third-party app stores as they were not vetted by the verification processes of legitimate app marketplaces like Play Store.

“Compromised mobile apps and mobile ad fraud remain a rising issue that affects everyone. To avoid falling victim to unwanted purchases or lose pre-paid credit, Android users, in particular, should check their phones to see if they have any suspicious apps installed. If so, they should uninstall them immediately and review any new mobile airtime charges for possible fraud,” warns the researchers.

Be the first to comment on "SnapTube discovered faking ad clicks and defrauding 40M users"

Leave a comment

Your email address will not be published.