Malware report for appjolt.com

Executive summary

appjolt.com is seemingly an iOS and Android library/SDK to bundle with other apps. It is a special form of malware typically referred to as spyware, and is even worse than the typical advertiser network libraries that include in-app advertisments during use. Therefore, do not include this library/SDK in your app if you want to retain a decent reputation with users.

How I know about it

As with so many advertiser networks, I was totally unaware of appjolt.com. The reason is simply that I release (nearly) all my software as open source and do not have to make money off it, having a day job in academia. Advertisements are the last thing I would like to add to my software. I only heard of appjolt.com due to an unsolicited commercial email (UCE, also known as SPAM) by their “director of business development”, which I quote here in full in protect the innocent (users) from the guilty (appjolt.com), without reformatting:


Hi Rene Mayrhofer,

Did you know you can finally Make Money when your app Users Uninstall Ipv6Config (Root Required)?

Android Developers like you are already getting **paid the highest eCPMs on their app uninstall traffic. **

We’ve developed a unique solution that lets you earn ad revenue every time a user uninstalls your app.

It’s 100% Google Compliant and will let you instantly earn daily revenues you never thought you could.

We’re so confident that you’ll love our solution, we’ll deposit $50.00 in your account today. Just sign up and start monetizing your app uninstalls. Get started here!

 

Kindest Regards,

Kathy

 

Kathy Lee

Director of Business Development

Skype: kathyappjolt

Mobile: 646-300-2047

kathy@appjolt.com

www.appjolt.com

<some to typical social networks removed here so as not to insert advertisment network trackers into my otherwise clean webpage>

P.S. Thank you for your time and interest, if you’d like me to stop contacting you and remove you from my prospect list, please reply with the word “REMOVE


 

Seriously?

Now, before going into appjolt.com, let me point out what is wrong with this email:

  1. It is SPAM. I never had any previous contact with this company, nor have I indicated that I would like to know of their product. And no, my email address is not on any opt-into-commercial-email lists. Therefore, this email is unsolicited (this term will be important later on).
  2. They assume that, when users are not happy with my app, I want to shove other apps down their throats. Ok, I know my app is not perfect and that it needs more time to work on than I currently can spare. It is OK if some users don’t like it, grow tired of any potential problems, or no longer need it. It is OK if they uninstall it. That process should then be as painless as possible. Making users click through surveys and “Oh, we have this special offer just for you, my friend” come-back messages is someting I loathe. It is the main reason why I uninstalled some free Windows anti-virus applications. Getting rid of something should not cause additional pain.
  3. Did you even check the spelling of the introductory sentence before getting your bot to fire off the email to data leeched from the Google Play Store? Why would you put “(Root Required)” in that question? Do I need root to make money with your dodgy scheme?
    [Yes, I am being cynical here, but as should be clear to anybody actually using Android apps, the best way not to confuse users is to put the requirement for root in the app title. This does not mean that it is part of the name of the app.]
  4. The most glaring problem: if you actually bothered to check the description of IPv6Config either on Google Play Store or my webpage, you might realize that it is intended as a tool to improve end user privacy against tracking by networks services. With an open-source privacy-enabling tool offered completely for free, why do you think I would like to add spyware to it?
    The only conclusion is that appjolt.com crawls the Google Play Store and sends bulk email to anybody who might not complain to loudly, without ever checking if it might actually fit the app intention or not. Please take this blog entry as a loud complaint against such practice.

I would like to add that I typically treat emails sent personally and in good faith to one of my private addresses with confidence, as I would treat a personal letter. Making an email public is something that feels wrong to me and that requires a good reason. In this case, the reason is to warn other app developers who may be tempted by their promise of quick money while complying to the Play Store policy (whatever they mean by it). Legally, I am referring to clause 7 of their own privacy policy for the right to do so (they think that they can apply this clause to anybody who is in communication with them, which, by appjolt.com sending me a direct email, obviously seems to include myself):

7. Unsolicited materials

Any unsolicited materials submitted or sent to Appjolt, will be deemed to be not confidential or secret. By submitting or sending information or other material to Appjolt you: (a) Warrant that you have all rights of any kind to the material and that to the best of your knowledge no other party has any rights to the material; (b) Unless stated specifically otherwise therein, grant Appjolt an unrestricted, perpetual, irrevocable license to use, reproduce, display, perform, modify, transmit and distribute the material, and you further agree that Appjolt is free to use any ideas, know-how, concepts or techniques you send us for any purpose, without any compensation to you or any other person. In order to remove all doubt, Appjolt’s privacy related obligation of this Privacy Policy shall not apply towards unsolicited information.

[Bold highlights are mine, but the text is copied verbatim as of the time of this writing.]

appjolt.com is spyware = malware

I have not downloaded the appjolt.com SDK so far. However, the privacy policy is enough to clearly verify that this is indeed spyware and therefore belongs to the class of malware. The consequence is that all apps that bundle appjolt.com software also need to be classified as malware by directly including all the spyware components. If asked, I will advise anti-virus companies to include the respective signatures and behaviour checks in their malware databases.

Let’s go through some of the most atrocious clauses in the appjolt.com privacy policy (the version “last updated December 2014”, which is unfortunately not yet available at the Wayback Machine at the time of this writing, so it might be changed already while you read these lines):

By clicking the “OK” or “ACCEPT” button when first prompted after the installation of the mobile application linking to this privacy policy (the “Privacy Policy” and “Affiliated Application”, accordingly) as portrayed on the License Agreement prompting on such Affiliated Application, you are agreeing to comply with, and be bound by, the following Privacy Policy, and when applicable any other Appjolt operating rules policies, and other supplemental terms and conditions or documents that may be published from time to time. Please review the Privacy Policy carefully.

Erm, no, not acceptable. By veryfying these policies after installing an app that bundles appjolt.com, the malware has already been installed. Running and uninstalling the app will trigger the spyware and already send all personally identifiable data to their servers. And it even gets worse in clause 5 below.

3. Information We Collect From You

When you install an Affiliated Application on your device that uses our Service, we may automatically collect certain information from your device, including an Android or other ID, device make and model, mobile web browser type and version, IP address, MAC address, the device’s operating system’s make and version, locale information, MCC (Mobile Country Code) information, the mobile application name, a list of mobile applications installed on your device and other technical data about your device.

Ok, this is pretty standard spyware stuff. Nothing especially noteworthy here - they just collect all the standard personal identifier information to track users throughout app use, web pages, etc. It gives them all IDs they might need to connect profiles from different sources. Bad, but not a lot worse than most advertisment libraries bundles with many Android apps at the moment (which are pretty bad in themselves, but at least appjolt.com does not stand out here).

When you install an Affiliated Application, you may also grant the mobile application permission to collect certain types of information via a permission screen consent process. We do not control the permission screen consent process – it is typically run by your mobile operating system (e.g., Android or Apple iOS); HOWEVER, ONCE SUCH PERMISSION IS GRANTED BY YOU ON AN OPT-IN BASIS, WE MAY COLLECT SOME, BUT NOT ALL, OF THE INFORMATION THAT A MOBILE APPLICATION COLLECTS IN ACCORDANCE WITH THE PERMISSIONS YOU GRANT. FOR EXAMPLE, IN ACCORDANCE WITH YOUR PERMISSION TO THE AFFILIATED APPLCIATION, WE MAY COLLECT PRECISE GEOLOCATION, BROWSER HISTORY, COUNTRY, ZIP CODE AND DEVICE IDS (INCLUDING IMEI, DEVICE SERIAL NUMBER AND MAC ADDRESS) AND/OR ANY OTHER PERSONAL OR IDENTIFIABLE INFORMATION (THE “PERSONAL INFORMATION”).

Ah, now we are back in more-evil-than-usual business. They piggy-back on all permissions an application may need, and the clause is so vague that it can include everything, from message contents to pictures, calendar or contacts data, etc. Precise geolocation seems the most tame of those. Even browser history makes me shudder.

Sweepstakes. If you win one of our Sweepstakes, you will be required to provide your first name, last name and mailing address. We may also ask you to provide the following additional personal information (please see the Appjolt Official Sweepstakes Rules for additional details) (i) Social Security Number (depending on the amount or value of your prize); and (ii) a copy of a government issued photo identification. If you win one of our Sweepstakes, we may also require that you complete and submit a release, which allows us to identify you as a winner on Appjolt’s website(s) and in other promotional materials and/or media. For such purpose, we may also ask you for a quote and a photograph. You are not committed to provide Appjolt with the said content; however, lack of full compliance with Appjolt’s request may prevent you from receiving your prize.

Yes, the wet dreams of organized crime, blackmailers, and professional identitiy thiefs. And of advertisers, profilers, and insurance companies. And you may get a “sweepstake” for it (e.g. a 25$ Google Play Store card…). Sounds like a good deal.

4. How We Use Information

.... cut the smoke mirrors ....

Legal Disclaimer. Notwithstanding anything to the contrary, we reserve the right to share any information, including Personal Information (a) as required by law and/or to comply with a judicial proceeding, court order or legal process served on Appjolt; (b) when we believe that disclosure is necessary to protect our rights;

So they first talk about how the don’t use “personal information” (omitted above because it is made irrelvant), unless they believe that they need to protect their rights (most probably their perceived right to make more money). Sounds fair.

5. Opting Out

Service. You may opt-out of receiving questionnaires when uninstalling and updating applications on your device, each time that a questionnaire is opened by our Service and/or through our opt-out web form located at http://www.appjolt.com/optout. You will need to provide your mobile device’s IMEI, MEID, and/or ESN. The IMEI/MEID is a number, usually unique, to identify GSM, WCDMA, and iDEN mobile phones, as well as some satellite phones. This allows us to identify your device and ensure your device will be opted out from our Service. To locate your IMEI/MEID/ESN, on your device, go to Menu > Settings > About Phone > Status > IMEI/MEID/ESN (menu titles may differ between devices).

TO OPT-OUT OF RECEIVING ALL ADVERTISEMENTS AND QUESTIONNAIRES FROM APPJOLT, INCLUDING ALL IN-APP ADVERTISEMENTS AND SURVEY QUESTIONNAIRES WHEN UNINSTALLING AND UPDATING APPLICATIONS ON YOUR DEVICE, YOU MUST MANUALLY DELETE ALL EXISTING AFFILIATED APPLICATIONS ON YOUR DEVICE THAT UTILIZE OUR SERVICE.

Aha, to opt out of privacy-invasive spyware collecting my private data, I have to hand over personally identifiable information. We are back into deeply dodgy territory.

Cancellation of Information Collection.

TO COMPLETELY DISABLE APPJOLT’S COLLECTION AND USE OF ANY PERSONAL INFORMATION, YOU MUST UNINSTALL ALL AFFILIATED APPLICATIONS ON YOUR DEVICE. HOWEVER, DELETING THE SAID APPLICATIONS WILL ONLY TAKE EFFECT FOR PURPOSES OF TRANSACTING FUTURE BUSINESS. SUCH ACTION WILL ALSO NOT BE IN EFFECT WITH RESPECT TO DELETION OF PERSONAL INFORMATION ALREADY COLLECTED AS PART OF OUR SERVICE, AND APPJOLT WILL BE ABLE TO CONTINUE AND MAKE USE OF SUCH INFORMATION IN ACCORDANCE WITH THIS PRIVACY POLICY, AS AMENDED FROM TIME TO TIME. IF YOU WISH TO HAVE ANY PRIOR COLLECTED PERSONAL INFORMATION REMOVED FROM OUR DATABASE, PLEASE CONTACT US AT WWW.APPJOLT.COM. PLEASE NOTE, HOWEVER, THAT AS DESCRIBED HEREIN, CERTAIN RESIDUALS OF THE PERSONAL INFORMATION MIGHT BE INCORPORATED UNDER OTHER CONTENT OR MATERIALS CREATED AND USED BY APPJOLT AND/OR OTHER APPLICABLE THIRD PARTIES (THE “RESIDUALS”), AND DUE TO THE RESIDUALS’ NATURE, THEY COULD NOT BE IDENTIFIED IN ORDER TO BE REMOVED, NOR CAN APPJOLT PREVENT THE USE OF SUCH RESIDUALS. MOREOVER, WE RESERVE THE RIGHT TO KEEP CERTAIN RECORDS FOR MONITORING, REGULATORY, LITIGATION AND/OR ENFORCEMENT PURPOSES. PLEASE NOTE THAT IF YOU EVER INSTALL ANOTHER AFFILIATED APPLICATION THAT UTILIZES OUR SERVICE IN THE FUTURE, APPJOLT WILL SUBSEQUENTLY BE ABLE TO COLLECT AND USE YOUR PERSONAL INFORMATION AS DESCRIBED IN THIS PRIVACY POLICY.

And it gets even better. At this time, please reconsider the introductory clause “By clicking the “OK” or “ACCEPT” button when first prompted after the installation of the mobile application”. So, what appjolt.com is telling us is that opting out is possible for future communication by uninstalling the carrying app (the malware host), but that everything they get from that install / cringe at atrocious spyware policy / uninstall cycle (which can be a whole lot, considering app permissions) is irrevocably theirs. Can that actually be legal in any law system on this planet? I am not a lawyer, but this is so unethical it is nearly unbelievable.

To be very clear on this point:

  1. Users will not know that appjolt.com spyware is bundled with an app from the description in the Google Play Store. That is, end users (i.e. everybody who does not out of habit decompile and analyze the code of all APKs before they install them) have no chance of avoiding to install it.
  2. Upon installation, appjolt.com will piggyback on any permissions an app may need for its normal operation to the usual spyware stuff and collect a scary amount of data that allows for extremely detailed profiling of even past actions with the device (think of browser history, among others, here).
  3. Then, at some point during the first start of the app, the user may get presented with a link to the privacy policy (but this is up to the app developer as I understand it, and it is not in the app best interests to show a lot of legalese during the first start…).
  4. If users are now shocked (if they read the policy, that is) and uninstall that app, then the uninstalling will trigger all spyware data collection and send everything off to appjolt.com.
  5. appjolt.com wants to keep everything they collected until this point.

You might want to evaluate this approach before a European court of justice. Good luck.

9. Security

The security of your information is important to us. We follow generally accepted industry standards to protect the solicited information submitted to us, both during transmission and once we receive it. However, no method of electronic transmission or method of electronic storage is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security, and therefore you transmit information to us at your own risk. Once we receive your transmission, we make reasonable efforts to ensure its security on our systems. Access to Personal information is strictly limited, and not accessible to the public. All of our users’ Personal Information is restricted and used only in accordance with this Privacy Policy.

Well, at least they are fairly honest here. As long as it is not too costly for appjolt.com, they will try to reasonably protect the data from other parties who don’t pay enough to access the data (see next part). You don’t know about it until you are shocked enough to uninstall it, but you send data at your own risk. Fair enough.

12. Contacting Us About Privacy Questions or Concerns

If you have any questions regarding our Privacy Policy, or in the event that you wish to verify which of your Personal Information we have collected, please contact us at

No, I did’t cut anything here. There really is no further information after that “at”. They really, really don’t want you to ask them about your own personal information or their privacy policy. This is why I was forced to write my response publicly and assume that they accept it, because it is published on my webpage and we are in communication (or something along those lines…).

Summary

appjolt.com is clearly spyware (malware) close to the worst kind (it can always go further, so I am not calling it the worst yet).

Summary for end users: don’t install any app bundling appjolt.com malware (unfortunately, it’s probably not generally possible to know which apps do so…).

Summary for app developers: never include appjolt.com libraries/SDKs with your apps if you want to retain any credibility.

Summary for appjolt.com: Thank you very much for your email and kind offer, which I have reviewed in detail. I am terribly sorry to inform you that I will not be requiring your services. However, please do not hesitate to never contact me again in the future.

René Mayrhofer
René Mayrhofer
Professor of Networks and Security & Director of Engineering at Android Platform Security; pacifist, privacy fan, recovering hypocrite; generally here to question and learn