FTC: Chrome Extension Installed Smartphone Apps without Permission

FTC: Chrome Extension Installed Smartphone Apps without Permission
Image: Pixabay
February 8, 2016

A tech company agreed to settle Federal Trade Commission (FTC) charges that it replaced a popular web browser game with a program that installed mobile phone applications without permission.

The complaint claims that after Vulcan purchased Running Fred, a Google Chrome browser extension game, it replaced the game with its own extension which supposedly offered users unbiased recommendations of popular Android applications. Instead, the extension installed apps directly on Android devices, while bypassing the permissions process.

Browser extensions are downloadable programs that provide enhancements to a particular web browser.

The extension installed by Vulcun caused a number of consumers to complain to Google, the owner of both Chrome and Android, according to the FTC. Some complained that the browser extension was opening multiple tabs and windows on their browser advertising various apps. Others complained about the installation of apps on their mobile device without their permission, noting that the apps would reinstall themselves even when deleted.

The FTC's complaint charges that Vulcun's actions unfairly put consumers' privacy at risk. By bypassing the permissions process in the Android operating system, the apps placed on consumers' mobile devices also could have easily accessed users' address books, photos, location, and device identifiers. Indeed, once installed, the apps could have gained further access to even more sensitive data by using their own malicious code, according to the complaint.

In addition, the complaint alleges that Vulcun misled consumers by saying that their extensions, including Weekly Android Apps and another called Apps By Cindy, provided independent and impartial selections of apps, as well as misrepresenting third-party endorsements received by the extensions.

Under the terms of the settlement, the company and its owners are required to tell users about the types of information a product or service will access and how it will be used, display any built-in permissions notice, and get users' consent before installing or changing any product or service.

They are also barred from misrepresenting whether their products have been endorsed by a third party and how personal information is collected and used.