Malware report for appjolt.com
appjolt.com is seemingly an iOS and Android library/SDK to bundle with other apps. It is a special form of malware typically referred to as spyware, and is even worse than the typical advertiser network libraries that include in-app advertisments during use. Therefore, do not include this library/SDK in your app if you want to retain a decent reputation with users.
How I know about it
As with so many advertiser networks, I was totally unaware of appjolt.com. The reason is simply that I release (nearly) all my software as open source and do not have to make money off it, having a day job in academia. Advertisements are the last thing I would like to add to my software. I only heard of appjolt.com due to an unsolicited commercial email (UCE, also known as SPAM) by their “director of business development”, which I quote here in full in protect the innocent (users) from the guilty (appjolt.com), without reformatting:
Hi Rene Mayrhofer,
Did you know you can finally Make Money when your app Users Uninstall Ipv6Config (Root Required)?
Android Developers like you are already getting **paid the highest eCPMs on their app uninstall traffic. **
We’ve developed a unique solution that lets you earn ad revenue every time a user uninstalls your app.
It’s 100% Google Compliant and will let you instantly earn daily revenues you never thought you could.
We’re so confident that you’ll love our solution, we’ll deposit $50.00 in your account today. Just sign up and start monetizing your app uninstalls. Get started here!
Director of Business Development
<some to typical social networks removed here so as not to insert advertisment network trackers into my otherwise clean webpage>
P.S. Thank you for your time and interest, if you’d like me to stop contacting you and remove you from my prospect list, please reply with the word “REMOVE”
Now, before going into appjolt.com, let me point out what is wrong with this email:
- It is SPAM. I never had any previous contact with this company, nor have I indicated that I would like to know of their product. And no, my email address is not on any opt-into-commercial-email lists. Therefore, this email is unsolicited (this term will be important later on).
- They assume that, when users are not happy with my app, I want to shove other apps down their throats. Ok, I know my app is not perfect and that it needs more time to work on than I currently can spare. It is OK if some users don’t like it, grow tired of any potential problems, or no longer need it. It is OK if they uninstall it. That process should then be as painless as possible. Making users click through surveys and “Oh, we have this special offer just for you, my friend” come-back messages is someting I loathe. It is the main reason why I uninstalled some free Windows anti-virus applications. Getting rid of something should not cause additional pain.
- Did you even check the spelling of the introductory sentence before
getting your bot to fire off the email to data leeched from the
Google Play Store? Why would you put “(Root Required)” in that
question? Do I need root to make money with your dodgy scheme?
[Yes, I am being cynical here, but as should be clear to anybody actually using Android apps, the best way not to confuse users is to put the requirement for root in the app title. This does not mean that it is part of the name of the app.]
- The most glaring problem: if you actually bothered to check the
description of IPv6Config either on Google Play Store or my webpage,
you might realize that it is intended as a tool to improve end
user privacy against tracking by networks services. With an
open-source privacy-enabling tool offered completely for free, why
do you think I would like to add spyware to it?
The only conclusion is that appjolt.com crawls the Google Play Store and sends bulk email to anybody who might not complain to loudly, without ever checking if it might actually fit the app intention or not. Please take this blog entry as a loud complaint against such practice.
[Bold highlights are mine, but the text is copied verbatim as of the time of this writing.]
appjolt.com is spyware = malware
Erm, no, not acceptable. By veryfying these policies after installing an app that bundles appjolt.com, the malware has already been installed. Running and uninstalling the app will trigger the spyware and already send all personally identifiable data to their servers. And it even gets worse in clause 5 below.
3. Information We Collect From You When you install an Affiliated Application on your device that uses our Service, we may automatically collect certain information from your device, including an Android or other ID, device make and model, mobile web browser type and version, IP address, MAC address, the device’s operating system’s make and version, locale information, MCC (Mobile Country Code) information, the mobile application name, a list of mobile applications installed on your device and other technical data about your device.
Ok, this is pretty standard spyware stuff. Nothing especially noteworthy here - they just collect all the standard personal identifier information to track users throughout app use, web pages, etc. It gives them all IDs they might need to connect profiles from different sources. Bad, but not a lot worse than most advertisment libraries bundles with many Android apps at the moment (which are pretty bad in themselves, but at least appjolt.com does not stand out here).
When you install an Affiliated Application, you may also grant the mobile application permission to collect certain types of information via a permission screen consent process. We do not control the permission screen consent process – it is typically run by your mobile operating system (e.g., Android or Apple iOS); HOWEVER, ONCE SUCH PERMISSION IS GRANTED BY YOU ON AN OPT-IN BASIS, WE MAY COLLECT SOME, BUT NOT ALL, OF THE INFORMATION THAT A MOBILE APPLICATION COLLECTS IN ACCORDANCE WITH THE PERMISSIONS YOU GRANT. FOR EXAMPLE, IN ACCORDANCE WITH YOUR PERMISSION TO THE AFFILIATED APPLCIATION, WE MAY COLLECT PRECISE GEOLOCATION, BROWSER HISTORY, COUNTRY, ZIP CODE AND DEVICE IDS (INCLUDING IMEI, DEVICE SERIAL NUMBER AND MAC ADDRESS) AND/OR ANY OTHER PERSONAL OR IDENTIFIABLE INFORMATION (THE “PERSONAL INFORMATION”).
Ah, now we are back in more-evil-than-usual business. They piggy-back on all permissions an application may need, and the clause is so vague that it can include everything, from message contents to pictures, calendar or contacts data, etc. Precise geolocation seems the most tame of those. Even browser history makes me shudder.
Sweepstakes. If you win one of our Sweepstakes, you will be required to provide your first name, last name and mailing address. We may also ask you to provide the following additional personal information (please see the Appjolt Official Sweepstakes Rules for additional details) (i) Social Security Number (depending on the amount or value of your prize); and (ii) a copy of a government issued photo identification. If you win one of our Sweepstakes, we may also require that you complete and submit a release, which allows us to identify you as a winner on Appjolt’s website(s) and in other promotional materials and/or media. For such purpose, we may also ask you for a quote and a photograph. You are not committed to provide Appjolt with the said content; however, lack of full compliance with Appjolt’s request may prevent you from receiving your prize.
Yes, the wet dreams of organized crime, blackmailers, and professional identitiy thiefs. And of advertisers, profilers, and insurance companies. And you may get a “sweepstake” for it (e.g. a 25$ Google Play Store card…). Sounds like a good deal.
4. How We Use Information .... cut the smoke mirrors .... Legal Disclaimer. Notwithstanding anything to the contrary, we reserve the right to share any information, including Personal Information (a) as required by law and/or to comply with a judicial proceeding, court order or legal process served on Appjolt; (b) when we believe that disclosure is necessary to protect our rights;
So they first talk about how the don’t use “personal information” (omitted above because it is made irrelvant), unless they believe that they need to protect their rights (most probably their perceived right to make more money). Sounds fair.
5. Opting Out Service. You may opt-out of receiving questionnaires when uninstalling and updating applications on your device, each time that a questionnaire is opened by our Service and/or through our opt-out web form located at http://www.appjolt.com/optout. You will need to provide your mobile device’s IMEI, MEID, and/or ESN. The IMEI/MEID is a number, usually unique, to identify GSM, WCDMA, and iDEN mobile phones, as well as some satellite phones. This allows us to identify your device and ensure your device will be opted out from our Service. To locate your IMEI/MEID/ESN, on your device, go to Menu > Settings > About Phone > Status > IMEI/MEID/ESN (menu titles may differ between devices). TO OPT-OUT OF RECEIVING ALL ADVERTISEMENTS AND QUESTIONNAIRES FROM APPJOLT, INCLUDING ALL IN-APP ADVERTISEMENTS AND SURVEY QUESTIONNAIRES WHEN UNINSTALLING AND UPDATING APPLICATIONS ON YOUR DEVICE, YOU MUST MANUALLY DELETE ALL EXISTING AFFILIATED APPLICATIONS ON YOUR DEVICE THAT UTILIZE OUR SERVICE.
Aha, to opt out of privacy-invasive spyware collecting my private data, I have to hand over personally identifiable information. We are back into deeply dodgy territory.
And it gets even better. At this time, please reconsider the introductory clause “By clicking the “OK” or “ACCEPT” button when first prompted after the installation of the mobile application”. So, what appjolt.com is telling us is that opting out is possible for future communication by uninstalling the carrying app (the malware host), but that everything they get from that install / cringe at atrocious spyware policy / uninstall cycle (which can be a whole lot, considering app permissions) is irrevocably theirs. Can that actually be legal in any law system on this planet? I am not a lawyer, but this is so unethical it is nearly unbelievable.
To be very clear on this point:
- Users will not know that appjolt.com spyware is bundled with an app from the description in the Google Play Store. That is, end users (i.e. everybody who does not out of habit decompile and analyze the code of all APKs before they install them) have no chance of avoiding to install it.
- Upon installation, appjolt.com will piggyback on any permissions an app may need for its normal operation to the usual spyware stuff and collect a scary amount of data that allows for extremely detailed profiling of even past actions with the device (think of browser history, among others, here).
- If users are now shocked (if they read the policy, that is) and uninstall that app, then the uninstalling will trigger all spyware data collection and send everything off to appjolt.com.
- appjolt.com wants to keep everything they collected until this point.
You might want to evaluate this approach before a European court of justice. Good luck.
Well, at least they are fairly honest here. As long as it is not too costly for appjolt.com, they will try to reasonably protect the data from other parties who don’t pay enough to access the data (see next part). You don’t know about it until you are shocked enough to uninstall it, but you send data at your own risk. Fair enough.
appjolt.com is clearly spyware (malware) close to the worst kind (it can always go further, so I am not calling it the worst yet).
Summary for end users: don’t install any app bundling appjolt.com malware (unfortunately, it’s probably not generally possible to know which apps do so…).
Summary for app developers: never include appjolt.com libraries/SDKs with your apps if you want to retain any credibility.
Summary for appjolt.com: Thank you very much for your email and kind offer, which I have reviewed in detail. I am terribly sorry to inform you that I will not be requiring your services. However, please do not hesitate to never contact me again in the future.