Weather-Simple, a weather app once ranked sixth in its category on the Google Play app store in the UK has been sending personal data to servers in China without permission, with infected devices also showing signs of supporting ad fraud, according to researchers from mobile fraud investigators Secure-D, the security arm of the UK’s mobile monetisation company Upstream.
The company also found that the application was pre-installed on certain Android smartphones made by Alcatel, the French brand of Nokia and first noticed the issue after Pixi 4 and A3 Max devices – manufactured under licence by Chinese electronics company TCL Corporation, a manufacturer of Alcatel and Blackberry branded phones – made unusually high numbers of transaction attempts.
When the team tested the application in a secure environment they watched the application reach out to servers that had no connection with the apps main function. Working silently in the background of the mobile device the app would access webpages with digital advertisements. The app would then continuously put in requests to access the adverts and once connected would click the buttons on the digital advertisers pages. All of this was done without the user’s knowledge or consent.
Secure-D became suspicious last July when they noticed a higher than usual number of transaction attempts coming from Alcatel Android smartphones in Brazil and Malaysia.
The research team wrote in a security blog that: “Those suspicious requests were initiated by the same application named com.tct.weather in both Brazil & Malaysia. This com.tct.weather Android application is pre-installed on many Alcatel devices and is also available for download on Google Play.”
When they investigated the permissions in the Google Play version of the application they found that it: “Requires special and high risk permissions.”
On download it requested access to the READ_LOGS which according to the Google Android developers guide gives the application permission to read the low-level system log files of the device, personal information is often contained within these logs. This is not a normal request by an app, much less a simple weather forecast app.
The second permission it requested was SYSTEM_ALERT_WINDOW and WRITE_SETTINGS. Secure-D note that this permission will allow any application to initiate: “System-level interaction with the user and allow an application to read or write the system settings of the phone.”
Normally if an application wants to have either of these permission approved, it must request approval from the user and have the permissions clearly stated within the files manifest. The com.tct.weather application does not ask the user for authorisation for either of these permissions.
Weather-Simple Weather Forecast
The Weather-Simple weather forecast app was pre-installed on a selection of mobile devices made by China-based TCL Communications Technology Holdings for Alcatel.
Along with allowing the above permissions, the pre-installed version also self-approved permission to access ‘BILLING’, this allows an application to use in-app billing.
The pre-installed version of the application used these permissions to attempt purchases from premium digital services.
“In Brazil, 2.5 million transaction attempts initiated from this Weather application on Alcatel devices were blocked in July and August 2018. Those 2.5 million transaction attempts to purchase a digital service originated from 128,845 unique mobile phone numbers.”
In an indication of the global scale of the problem 79,940 transaction attempts from Alcatel devices were blocked in Kutwait. While further attempts were blocked in Egypt, Tunisia, South Africa and Nigeria.
The Google Play Store version of the application is no longer available and Google have stated that they do not comment on individual apps in the Play Store.
Alcatel is a French brand of mobile handsets owned by Finnish consumer electronics company Nokia and used under license by Chinese electronics company TCL Corporation. Neither company has responded to request from Computer Business Review for comment.
It is unclear why the instances cited by Secure-D only appeared in certain countries and apparently on hardware with the app pre-installed. Computer Business Review has contacted the company for more details.