On June 29, the FTC and New Jersey Attorney General announced the filing of a joint complaint, and proposed, stipulated settlement, against an Ohio-based app developer, Equiliv Investments LLC and an individual officer of the company. The federal and state enforcement agencies alleged that Equiliv marketed a free app that users believed would let them earn rewards points for playing games or downloading affiliated apps. The agencies alleged that Equiliv explicitly represented the app was free of malware when in fact the app’s main purpose was actually to load malicious software on the users’ phone to mine virtual currency. Allegedly, the app took control of the devices’ computing resources and degraded the phones’ performance by draining battery life and data plans, and causing the devices to charge slowly. The malware was alleged to pool the computing resources of consumers’ mobile devices to benefit the company’s effort to generate virtual currencies through a peer-to-peer network to compete with other devices in solving complex mathematical equations – a process known as “mining.”
The complaint cites both the FTC Act and the New Jersey Consumer Fraud Act in each of the two counts in the complaint, one alleging deception (FTC) and misrepresentation (New Jersey), and the other alleging unfairness (FTC) and unconscionable commercial practice (New Jersey). The FTC described the case as part of its ongoing work to protect consumers using new and emerging financial technology, known as FinTech.
The settlement, which has been submitted to the court for approval, involved injunctive relief and a $50,000 monetary judgment payable to New Jersey (with $44,800 suspended). The injunctive relief included standard provisions enjoining misrepresentations, as well as the following prohibitions regarding misuse of consumer computer resources that may be of general interest:
Defendants … are enjoined from … engaging in or participating in the marketing, distributing, offering for sale, sale, or installation of any mobile apps or software that uses or interferes with a consumer’s computer or other electronic device without consumers’ express authorization, or for any purpose other than that specifically authorized, including but not limited to software that: A. Damages, disables, or accesses without consumers’ express authorization or in excess of consumers’ authorization, any computer or other electronic device; B. Uses the computing resources of consumers’ computer or other electronic device without consumers’ express authorization or in excess of consumers’ authorization …
The Acting Director of the New Jersey Division of Consumer Affairs, Steve Lee, said,
This is not the first case we’ve seen in which a software developer sought to take over privately owned devices, without the owners’ knowledge or consent, to mine for virtual currency. But this case involved smartphones, rather than computers. This creates a potential for far greater damage, since mobile devices have much more limited processing power and often come with more expensive data plans.
The FTC’s press release, “App Developer Settles FTC and New Jersey Charges It Hijacked Consumers’ Phones to Mine Cryptocurrency; Defendants’ App Installed Malware that Left Phones With Drained Batteries, Depleted Data Plans,” is available here. The New Jersey press release is available here.