Mobile technology company Upstream announced earlier this month that it had detected a suspicious weather forecast application which was pre-installed on Alcatel smartphones.
The company’s security platform, Secure-D, detected suspicious activity initiated by this application across multiple countries – most notably in Brazil and Malaysia, although South Africa was also affected.
The application was named “Weather Forecast – World Weather Accurate Radar” and was pre-installed on Alcatel Pixi 4 and A3 Max devices – in addition to being available for download on the Google Play Store.
The Alcatel smartphone brand is owned by Nokia and the devices in question are built by Chinese manufacturer TCL.
When Secure-D tested the application, it found that the app was collecting and transferring users’ personal data to servers in China.
The information transferred to Chinese servers by the application included the user’s device ID, email address, and location.
In addition to this, the app also attempted ad fraud by loading pages with adverts and clicking on ads in the background.
This meant the app was actively attempting to subscribe users to premium content or WASP services without their consent.
The ad fraud activities were invisible to users, and as the malicious app came pre-installed on certain smartphones it affected a great number of Alcatel Pixi 4 and A3 Max owners.
Secure-D detected and blocked over three million fraudulent transaction attempts generated by the app across Brazil, Malaysia, Nigeria, South Africa, Egypt, Kuwait, and Tunisia.
Despite its malicious behaviour and background data usage, the app ranked among the top five weather apps in 30 countries, including in the UK and United States.
After Upstream released its report, the app was removed from the Google Play Store.
Data and airtime costs
The weather app’s background activity, invisible to users, was reportedly consuming up to 250MB of their mobile data on a daily basis.
This could result in extreme data charges for South Africans, especially if local users did not have an active data bundle.
Considering Vodacom’s out-of-bundle rate of R0.99 per MB, South Africans could be charged up to R250 a day if they had no active data bundle and their device had the malicious app installed.
The app also attempts ad fraud to subscribe users to WASP services, which can result in large amounts of airtime being depleted if successful.
MyBroadband covered similar issues occurring on MTN’s network last year, which saw customers being subscribed to the operator’s WASP services through ad fraud, click-jacking, and MSISDN spoofing.
While South Africans with the Alcatel devices were most likely to be affected, anybody could have downloaded the application from the Google Play Store and fallen victim.
“Overall, whether pre-installed on Alcatel devices or downloaded from Google’s official Play Store, the application com.tct.weather has generated over 27 million transaction attempts across seven markets,” Upstream said.
“Had they not been blocked by Secure-D these transactions would have translated into $1.5 million in unwanted charges to users’ airtime.”
Following questions sent to it, TCL said that its mobile application data is hosted in the United States – and any data sent to Chinese servers was unauthorised.
“Our mobile application data is hosted on AWS servers within the US,” the company said.
“Any data shown to be sent to servers elsewhere would have been unauthorised and our teams are further investigating these claims.”
“We make every effort to keep the personal data of our customers secure and comply with legal requirements.”
TCL added that all of the data collected from end users serves specific purposes relating to its products.
The company said that for the weather app in question, a user’s IMEI was collected to enable them to delete their data stored in the server.
“We no longer collect IMEI info however, and will use the Android ID to allow for data deletion if this is requested,” TCL stated.
“We understand the need to remain vigilant with the security and privacy of our customers, which is why we have removed third-party SDK access from our mobile applications – with the exception of Google and other limited trusted and verified global partners – ensuring there is no fraudulent actions taken by any third-party who might try to use our SDK access in the future,” the company said.
“We have removed our weather app from the Google Play Store while our teams work on further investigating some of the concerns raised and while our partner validation process is also taking place.”
TCL said it would provide an update when the app is available again.