The open source software is amazing. You have thousands of free apps to choose from, giving you the choice of how to support the developers. Some ask for donations, others show ads from time to time, and so on. The important thing is that open source developers get at least something in return for their work.
There are also disadvantages to open source development. For example, anyone can take your work, clone it, change the subtle details, and republish it as their own.
What happens in these cases? Can the original developer protect their work? Will the fraudulent «developer» suffer any repercussions?
Google, VLC and Copycat
VLC is one of the best media players in the world. Loved by desktop and mobile users alike, VLC is an open source giant. The number of downloads of VLC is a phenomenal 2,495,411,000. That’s right: over 2.4 billion downloads.
VideoLAN, the development team behind VLC, recently confirmed that they have given up tens of millions of euros to tie ads to their software.
Advertising in an open source application does not conflict with any free open source license (depending on who owns the copyright). But the core ideal of an open source platform is not to divert attention from the direction of development; for many developers, this means avoiding advertising that profits other companies. This does not mean that there are no developers who use advertising as a source of income.
However, VideoLAN has long made it clear that their product will never contain ads. So imagine their surprise when an ad-supported Android clone that clearly violates the VLC GPL (General Public License) skyrocketed to five to ten million downloads, making huge profits for its fraudulent owner in the process.
The app was available on the Google Play store, but for a long time, Google didn’t do anything. This is despite the fact that thousands of people have reported the apps as clones and flagged the developers as malicious.
321 Media Player
There have been several offensive VLC clones, the worst of which was 321 Media Player. Despite being a direct clone with ads, the app has a score of 4.5 out of over 100,000 reviews. The second clone, Indian VLC Player, had over 500,000 downloads and an equally high rating (although there were fewer reviewers).
To put it simply, 321 Media Player took VLC, added a bunch of ads, tried to hide it using the Media Players Classics icon (another open source media player for Windows), and didn’t even try to credit VideoLAN. Speaking to Torrent Frick, VideoLAN President Jean-Baptiste Kempf confirmed that the copycat application violated the VLC GPL.
“The Android version of VLC is under the GPLv3 license, which requires everything inside the app to be open source and share source,” says Kempf. “This clone appears to be using a closed source ad component (is there any open source?), which is a clear violation of our copyleft. What’s more, it looks like they don’t share the source at all, which is also a violation.”
One of the most amazing things is the huge number of downloads of the copied application. The Android community is usually quick to label copycat and malicious apps, signaling that Google needs to be removed. It looks like the process became unattached in this case.
In fact, VideoLAN filed DMCA complaints «several times», but each time — thanks to the DMCA process and Google Play Store policies — the copycat app could be reactivated. But 321 Media Player is just the tip of the VLC-copycat iceberg. In his post on the Android subreddit, Jean-Baptiste Kempf lists 21 more ad-supported app copies, as well as a paid option. (After publication, a few copycat apps disappeared, but many remained.)
It’s not a good look for Google and the Google Play Store. Unfortunately, there are a lot of copier apps in the Google Play Store. On the other hand, Google is recognizing this as a serious problem and is fighting waves of copycats.
In 2016, Google identified and removed 210,000 apps. In 2017, that number was 700,000, up 70 percent. And of those 700,000, about 250,000 were straight or slightly modified copy apps «using mixed Unicode characters or hiding app icons in a different locale» or even switching logos. And while VLC copycat apps aim to profit from ads, copycat apps are inherently dangerous.
More than just advertising revenue is at stake. The copycat application is an easy source of malicious code. Unsuspecting users download apps without checking for developer details, review red flags, or even matching download numbers. And if the user logs out and uses an unverified third-party store or website, the chances of encountering a malicious app are even more likely.
Avoid Copycat Apps
The Google Play Protect security suite makes it easier for android users to detect malicious apps. Openness is part of the attraction but also what makes it an easy target for scammers and malware vendors As ESET malware researcher Lukas Stefanko says, “Attackers are constantly trying to break into security systems [Google]».