Open source software is awesome. You have a choice of thousands of free applications, giving you a choice of how to support the developers. Some ask for a donation, others display an occasional advert, and so on. The important thing is that open source developers receive at least something in exchange for their work.
There are downsides to open source development too. For instance, anyone can take your work, clone it, change subtle details, and republish as if their own.
What happens in those instances? Can the original developer protect their work? Will the fraudulent “developer” suffer any consequence?
Google, VLC, and the Copycat
VLC is one of the best media players around. Loved by desktop and mobile users alike, VLC is an open source giant. VLC downloads stand at a phenomenal 2,495,411,000. That’s right: over 2.4 billion downloads.
VideoLAN, the development team behind VLC, recently confirmed that they turned down tens of millions of euros to bundle advertising with their software.
Advertising within an open source app isn’t against any free license (depending on who holds copyright). But a core ideal of the open source platform is keeping the development direction clear of distraction; for many developers that means steering clear of advertisements that generate profit for other companies. That’s not to say there aren’t developers that use advertising as an income stream.
VideoLAN, however, has long made it clear that their product will never feature advertisement. So imagine their surprise when an ad-supported Android clone that clearly breaks the VLC GPL (General Public License) soared to between five and ten million downloads, generating huge profits for its fraudulent owner in the process.
The app was available on the Google Play Store, but for a lengthy period, Google did nothing. This, despite thousands of people reporting the apps as a clone and flagging the developer as malicious.
321 Media Player
There were several offending VLC clones, the worst of which was 321 Media Player. Despite being a direct clone featuring ads, the app racked up a 4.5 rating from over 100,000 reviews. A second clone, Indian VLC Player, had more than 500,000 downloads and a similarly high rating (though fewer reviewers).
Quite simply 321 Media Player took VLC, added a bunch of ads, tried to cover it up by using the Media Players Classics icon (another open source media player for Windows), and didn’t even attempt to credit VideoLAN. Talking to Torrent Freak, VideoLAN President Jean Baptiste Kempf confirmed the copycat app is in breach of the VLC GPL.
“The Android version of VLC is under the license GPLv3, which requires everything inside the application to be open source and sharing the source,” Kempf says. “This clone seems to use a closed-source advertisement component (are there any that are open source?), which is a clear violation of our copyleft. Moreover, they don’t seem to share the source at all, which is also a violation.”
One of the most surprising things is the sheer number of downloads the copycat app amassed. The Android community usually flags copycat and malicious apps quickly, letting Google know it needs removing. The process appears to have come unstuck in this instance.
Google considered ‘bad apps’ to be ones that install malware on targeted operating systems, steal data, copycat legitimate apps, or contain inappropriate content.
— LIFARS (@LIFARSLLC) February 2, 2018
In fact, VideoLAN filed DMCA complaints “several times” but each time—due to the DMCA process and Google Play Store policy—the copycat app was able to reactivate. But 321 Media Player is just the tip of the VLC-copycat iceberg. In a post to the Android subreddit, Jean Baptiste Kempf lists another 21 ad-supported copycat apps, as well as a paid option. (Since making the post several of the copycat apps have disappeared, but many more remain.)
It is not a great look for Google and the Google Play Store. Unfortunately, the Google Play Store is rife with copycat apps. On the other hand, Google does recognize it as a significant problem and is working to combat the waves of copycats.
In 2016, Google identified and removed 210,000 apps. In 2017, this number was 700,000, a 70 percent increase. And of those 700,000, some 250,000 were direct or slightly modified copycat apps, “using confusable Unicode characters or hiding impersonating app icons in a different locale,” or even switching logos. And while the VLC copycat apps seek to profit from advertising revenue, copycat apps are inherently dangerous.
There is more at stake than just advertising revenues. A copycat app is an easy source of malicious code. Unsuspecting users download apps without checking if the developer’s details, if there are “red flag” reviews, or even if the download numbers match up. And if a user goes off-piste and uses an unverified third-party store or website, the chances of bumping into a malicious app further increases.
Avoiding Copycat Apps
Google’s Play Protect security suite is making it easier for Android users to spot malicious apps. Openness is part of Android’s allure, but also what makes it an easy target for scammers and malware purveyors. As ESET malware researcher Lukas Stefanko says, “Attackers are constantly trying to penetrate [Google’s] security systems.”
But for the most part, steering clear of malicious apps requires user knowledge and diligence. Double-check user reviews. Cross-reference the number of downloads. Examine the developer profile and check the developer’s other apps (for instance, the official Microsoft Corporation developer account features Word, Excel, Outlook, PowerPoint, and so on). Allow Google Play Protect to scan your apps periodically. And remember, if it is too good to be true, it probably is; while some premium apps do occasionally appear for free, all of the above still stands true.
Of course, in the case of 321 Media Player, using this list is slightly tricky. At first glance the app has great reviews, a solid number of downloads and Google allows the listing on the Play Store. But on closer inspection, the copycat app’s negative reviews were mainly alerting unsuspecting users as to the issue (whether they care or not, in the specific situation, is another thing). With that in mind, vigilance is key.