A weather app made by TCL, loaded by default on some Alcatel phones and also available in the Play Store, was found by security firm Secure-D to be harvesting users’ personal data and using that data to commit fraudulent financial transactions. Those transactions centered around signing users up for various paid subscription services without their consent. Thus far, the activity seems to have only taken place in smaller markets like Brazil, Nigeria and Malaysia. While Secure-D managed to catch many of these attempts and the app has been taken down from the Play Store, the estimated cost to users if the attempts had been successful is around $1.5 million in total. The threat has seemingly been neutralized at this time, but owners of Alcatel and Blackberry phones would do well to disable their stock weather app and use another, and those who have downloaded it from the Play Store are urged to uninstall it and use a different app.
Background: The findings began with reports of fraudulent transactions received by Secure-D. These reports seemed to originate largely from Alcatel Pixi 4 and Alcatel Max A3 smartphones in the affected regions. Upon further investigation, Secure-D was able to determine that all of the similar-looking fraudulent transaction requests originated from the same app across devices. The weather app in question has a number of possibly invasive permissions that are required for usage, and in particular, it was found to be sending users’ physical locations, IMEI numbers, and email addresses to a server in China. While the location is par for the course with weather apps, the users’ email addresses and device IMEI numbers are not typically useful to the core function of such an app, and thus, should raise alarm bells with security-conscious users. Secure-D investigated the matter by securing a number of allegedly affected devices, and operating them in a monitored environment. The devices showed noticeable lag, as reported by users, and as soon as they began operating, started sending data and requests to servers in China that were seemingly unrelated to the app’s advertised weather function. The app was also found to be committing ad fraud, which ate up users’ data allotments and affected device and network speeds, by making large numbers of web requests to advertisers and sending clicks. These clicks often resulted in purchasing paid subscriptions either using billing information stored on the device, or by billing subscriptions to a user’s carrier bill.
Impact: The app’s play store rating, 4.4 stars as of this writing, may also be fraudulent. Many of the 5 star ratings for the app only had one or two words, and they were found to be drowning out a good number of one and two star reviews that point out some of the problems with the app that users face, such as slowing down devices or using up far more mobile data than a weather app has any business using. While no outside investigations, criminal or otherwise, have been announced at this time, this development could have far-reaching implications. For starters, TCL manufactures Alcatel phones on license from Nokia, and also manufactures BlackBerry devices with the blessing of the company that once did so, back when the brand was in its heyday. No such activity has been detected on any other apps associated with TCL, Alcatel, or BlackBerry as of this writing, though caution should be taken with any apps made by TCL. In fact, it’s good practice to take a close look at all of the permissions for any app you install. A link to the app in the Play Store is provided below for reference. For obvious reasons, Android Headlines does not recommend installing the app.