FTC Says Company Used 'Running Fred' to Bait-and-Switch a Spammy Chrome App

UPDATE Feb. 2, 2016: Vulcun disputes the version of events as set out in the Federal Trade Commission complaint. The company’s response can be read in full here.

The Federal Trade Commission has settled a complaint against a tech company for allegedly uploading Android apps to people’s phones without their consent.

The company, called Vulcun, was run by Ali Moiz and Murtaza Hussain. They purchased the popular game Running Fred, which had been downloaded as a Chrome extension by 200,000 people, according to the FTC complaint. Then they replaced the game entirely on people’s browsers with their own extension, called Weekly Android Apps, without their consent or notification.

Through this new extension, they were able to bombard consumers with ads and install applications to their Android phones without receiving the proper permissions. The FTC complaint charged, in part:

“Because the Weekly Android Apps hid and accepted the default Android permissions request, these mobile apps could have gained immediate access to the user’s address book, photos, location, and persistent device identifiers. In addition, once installed, the apps could have gained access to other information, including financial and health information, by executing additional malicious code on the consumer’s mobile device.”

The consumer’s browser experience was also disrupted: “Weekly Android Apps opened additional windows and also reset the user’s home page for their browsers. Desktop-computer users saw new tabs or windows open repeatedly. When users closed the new windows, others would pop up.”

Since Weekly Android Apps effectively replaced Running Fred, the app appeared to be more reputable and popular than it actually was. In the Chrome Web Store, the app appeared to have more than 200,000 downloads and an average user rating of 4.5 out of 5 stars. The company further misled users by falsely claiming that Weekly Android Apps had been featured on prominent tech sites, such as MacRumors, Engadget, and Lifehacker, the complaint alleges.

And the punishment for these crimes against the internet? The orders in the settlement basically add up “don’t do it again,” and “we’ll be watching you.”

Although the agreement found that the respondents violated the provisions of the Federal Trade Commission Act, it didn’t require that they admit formally to any of the allegations described in the complaint.