Running Fred is pretty scary. It's a game that takes place in an old castle, where devilish fiends chase innocent kids with sharp objects. But that's not the worst thing you can say about it.
The Federal Trade Commission (FTC) says Running Fred, which is a Google Chrome browser extension that runs on Android phones, has been running wild, taking over consumers' phones and installing other apps that cause all kinds of problems. The trouble began when a company called Vulcun bought Running Fred.
“After Vulcun acquired the Running Fred game, they used it to install a different app, commandeer people’s computers, and bombard them with ads,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection.
But it's now "game over." Vulcun has agreed to corral Running Fred and stop installing the rogue apps on users' phones.
In its complaint, the FTC alleges that Vulcun and its founders, Ali Moiz and Murtaza Hussein, purchased Running Fred and replaced it with Vulcun’s own extension, which purported to offer users unbiased recommendations of popular Android applications.
What Vulcun’s extension actually did, the FTC charged, was to install apps directly on the Android devices of consumers while bypassing the permissions process in the Android operating system.
The extension caused a number of consumers to complain to Google, the owner of both Chrome and Android, according to the FTC. Some complained that the browser extension was opening multiple tabs and windows on their browser and advertising various apps. Others complained about the installation of apps on their mobile device without their permission, noting that the apps would reinstall themselves even when deleted.
The FTC’s complaint charges that Vulcun’s actions unfairly put consumers’ privacy at risk. By bypassing the permissions process in the Android operating system, the apps placed on consumers’ mobile devices also could have easily accessed users’ address books, photos, location, and device identifiers. Indeed, once installed, the apps could have gained further access to even more sensitive data by using their own malicious code, according to the complaint.
In addition, the complaint alleges that Vulcun misled consumers by saying that their extensions, including Weekly Android Apps and another called Apps By Cindy, provided independent and impartial selections of apps, as well as misrepresenting third-party endorsements received by the extensions.
Under the terms of the settlement, the defendants will be required to tell consumers about the types of information a product or service will access and how it will be used, display any built-in permissions notice associated with installing a product or service, and get users express affirmative consent before the installation or material change of a product or service.