Pre-Installed Android App Impacts Millions with Slew of Malicious Activity

The app was developed by legitimate Chinese manufacturing giant TCL.

A pre-installed Android application on Alcatel smartphones has been found surreptitiously siphoning off geolocation data, email addresses and phone identification numbers and sending the data to a server in China.

Analysts with Upstream’s Secure-D platform said that the app, Weather Forecast—World Weather Accurate Radar, asks for excessive permissions and sets about subscribing unwitting users to premium services for which the victims are billed via their cell carriers. Further, it also carries out ad fraud, visiting websites and clicking on ads – all in the background, unbeknownst to the user.

“All this activity, unintended by the user and non-visible, consumes important amounts of data,” Secure D researchers pointed out in a January posting. “We recorded 50MB to 250MB of data per day being consumed by the application’s unwanted activity.” In places like Brazil, where prepaid phone plans are common and data allowances expensive, this means that users would find their data caps exceeded overnight.

The researchers pointed out that in Brazil, 1GB of data costs the equivalent of 6 hours of minimum-wage work – and that airtime is the only way for many in emerging markets to pay for digital services.

Uncovering the Issue

After observing an abnormally high level of data usage in Brazil and Malaysia (and additional activity in Nigeria, South Africa, Egypt, Kuwait and Tunisia), the researchers reached out to a group of affected users. The victims said they were experiencing unwanted charges as well as seeing overheating (from CPU overuse). The analysts purchased a few phones and investigated further.

“We launched a process to purchase multiple devices from their owners with the purpose of investigating them in our lab,” they added. “One of those – an Alcatel A3 Max – being from a user whose device had initiated more than 500 transaction requests over the months of July and August.”

They found that the activity was coming from an application package called com.tct.weather, which ships with Alcatel models Pixi 4 and A3 Max. The application was also available on Google Play, promising “accurate forecasts and timely local weather alerts,” where it racked up more than 10 million installs (Google has now removed it).

According to the researchers, it turns out that the app was created by the legitimate phone supplier TCL Corp, which is a Chinese manufacturing giant that licenses and produces Alcatel’s phones in Asia. The company has not made a statement on the issue, though a spokesperson told the Wall Street Journal that the company is now “evaluating new security consultants who can provide additional validation of the safety of our mobile applications we develop.”

The company also updated the app in November, after which it stopped the subscription fraud, the WSJ reported.

However, TCL has other weather apps in Google Play, where in the reviews users have complained about it not working correctly.

Scope of the Impact

Overall, whether pre-installed on Alcatel devices or downloaded from Google’s official Play Store, the weather application made more than 27 million observed transaction attempts across seven markets in just a two-month time frame of analysis, the researchers said.

These, which the firm blocked, represent $1.5 million in unwanted charges and data depletion.

In Brazil, nearly 3 million attempts to purchase digital services originated from 128,845 unique mobile phone numbers In Kuwait, there were 78,940 transactions attempts initiated from Alcatel devices.

 

Suggested articles