Note: This blog has been updated with information reflecting new activity, please scroll down to the end to see latest developments
Its been a few months since we released our report on appspam and Messaging apps, making people aware of the issue of appspam and aggressive 'Growth Hacking'. This is essentially the behaviour of certain apps, that when installed send app invites (or 'appspsam') to contacts in your address book, with varying degrees of ability by the person installing the app to prevent or control this. After issuing the report we saw a change for the better, and a few weeks later we reported that we saw a 25-35% drop in app spam invites. A key factor that also occurred around this period is that Google changed its Android Developer Policy, which seems to have helped address this problem.
This was encouraging, but we feel that it didn’t go far enough. Below we have plotted out a representative sample of the number of App spam invites in North America around that period. You can see Glide's invite volume did drop initially, but still generated far and away the most amount of app spam invites, and as other apps dropped further, Glide actually generated a higher proportion of invites than ever before. In addition Glide's invite volume started to increase again towards the end of the period, whereas Tango's invite volume has been steadily dropping since the start of AdaptiveMobile's advisory period, as they made changes to ensure they generated less complaints. Finally 'Others' includes all other apps, this stays roughly constant, as even though some apps heeded our advice, other new ones arose. 'Others' also includes a number of apps that in our opinion are doing growth hacking via invite responsibility, so we did not expect them to change their behaviour.
After this period, the subsequent response by Glide in recent months has been most interesting. 2 months after our report, on the 14th of June, the default Glide invite text, which had been like the following:
Seen Glide? http://i.glide.me/join
Tried video texting? http://i.glide.me/join
Started to change. First, it changed by making the text even vaguer, to remove any references to what the app actually does (its a video texting app). An example is:
Seen this? http://i.glide.me/join
And then, on June the 16th , Glide started using short urls from bit.ly to point to glide.me, rather than using the glide.me url itself:
Check it out! http://bit.ly/1kFJMTB
Check out this app! 
http://bit.ly/1nVjxKE
Come online! http://bit.ly/1k2VGYr
Did you see this? http://bit.ly/1mABehm
Don't miss this! http://bit.ly/1qajgYU
Before we cover the problems with this, its interesting to look at the nature of the links. These urls redirect to links like http://i.glide.me/join/1404103250468 , where the 13 digit identifier is used to track the number of clicks via each link. The generated bit.ly links are reused amongst multiple glide invite senders but normally only sent in a short time period (around a day), as new bit.lys are generated very frequently every day - in fact a new one is generated at least every 10 minutes, you can see this in their bit.ly stats here. In total we monitored dozens of different short text strings being used by the app to advertise itself, all using many many thousands of newly generated bit.ly links - according to the bit.ly supplied stats alone at least 10k links have been generated since Glide opened an account on July 14th alone. Its probable that before this date links were registered on an ad-hoc basis.
Returning to the question of why this happened; the very fact that Glide took this approach - of making the text more vague, and obfuscating the url is concerning. We see this type of messaging behaviour often with malicious spammers, who are trying to both convince the user to install the app using social engineering, and to try to avoid any detection in place. It is clearly not a good sign when App developers start copying the techniques of spammers. It's notable that Glide have also added an unsubscribe feature to their website. This was added some time after June 25th, and accomplished by adding a single, one-line link to the original statement in the FAQ that said:
How the unsubscribe feature works is that users sign up with their phone number, so they will no longer receive Glide invites. However this feature is fundamentally flawed due to the logic behind it. In effect Glide are assuming that everybody is signed up, unless they indicate otherwise. Best-practice commercial advertising techniques are normally the opposite – imagine if every advertising company assumed that just because your phone number was in somebody’s mobile that you are fair game for advertising, until you indicate otherwise for each and every company?
Since we issued the report, we have been working with our mobile operator customers and industry organisations to both generate awareness and effect change in these apps. Other mobile security companies have now recognised the problem and begun reporting it, while most notably it seems that Bit.ly themselves have also reacted. We have monitored that recently Bit.ly has begun flagging all bit.lys that redirect to the i.glide.me/join/link-id format as potentially having a problem, with a warning screen like below. Generally these warning screens are issued for a link to a landing page that have been shortened multiple times or because the link has potentially malicious content, both generally a sign of issues in what is being sent.
However this is an ongoing story, to get around the bit.ly warning, since yesterday (4th September 2014) at roughly 2pm UTC, Glide have reacted by changing the bit.lys generated and used in the app spam to now point first to a http://vidtext.me/join/link-id intermediate page, which then redirects to to www.glide.me only. As this is essentially repeating the same problem (multiple bit.lys pointing to the same end point), it's possible it will meet with the same reaction by bit.ly. We will continue monitoring and we can expect further developments in this area as attention increases.
We believe the path for Glide is clear, they need to change their UI design, as per the recommendations in our report, to avoid guiding users to spam all contacts on installation. Recommended guidelines are repeated below:
- Make it easy for a user not to invite all contacts
- Not ask on start up or activity to invite all contacts
- Not give an “invite all” option
- Not pre-select all contacts to be invited in an invite screen
- Allow the user to edit the invite text
- Not make inviting others via SMS Invites, part of an incentive system
As explained in the report, these guidelines are derived from the well-behaved apps that generate minimal complaints despite their large user bases. It goes without saying also, that having a clear description of what is being advertised (i.e. the name of the app) is an essential part of that.
Update 8th Sep: Bitly have flagged as suspicious Glide generated bit.lys that point to vidtext.me. Glide are now generating bit.lys that point to vdotxt.com.
Update 9th Sep: Bitly have again flagged as suspicious bit.lys that point to vdotxt.com. It seems that Glide have since stopped using short urls, and are now using vdotxt.com/join