View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
January 10, 2019updated 12 Jul 2022 6:11am

This Popular Weather App Steals Your Data, Perpetuates Ad Fraud

“In Brazil, 2.5 million transaction attempts initiated from this weather application on Alcatel devices were blocked in July and August 2018"

By CBR Staff Writer

Weather-Simple, a weather app once ranked sixth in its category on the Google Play app store in the UK has been sending personal data to servers in China without permission, with infected devices also showing signs of supporting ad fraud, according to researchers from mobile fraud investigators Secure-D, the security arm of the UK’s mobile monetisation company Upstream.

The company also found that the application was pre-installed on certain Android smartphones made by Alcatel, the French brand of Nokia and first noticed the issue after Pixi 4 and A3 Max devices – manufactured under licence by Chinese electronics company TCL Corporation, a manufacturer of Alcatel and Blackberry branded phones – made unusually high numbers of transaction attempts.

The app, since removed, had over 10 million downloads on the Google Play Store. Under Google Play Store, the developer appeared under, while TCL Communication Limited appeared when looking at the privacy policy of the app. Phones with the app installed were found to be suspiciously eating between 50 – 250MB of data on background processes.

When the team tested the application in a secure environment they watched the application reach out to servers that had no connection with the apps main function. Working silently in the background of the mobile device the app would access webpages with digital advertisements. The app would then continuously put in requests to access the adverts and once connected would click the buttons on the digital advertisers pages. All of this was done without the user’s knowledge or consent.

Secure-D Research

Secure-D became suspicious last July when they noticed a higher than usual number of transaction attempts coming from Alcatel Android smartphones in Brazil and Malaysia.

The research team wrote in a security blog that: “Those suspicious requests were initiated by the same application named in both Brazil & Malaysia. This Android application is pre-installed on many Alcatel devices and is also available for download on Google Play.”

When they investigated the permissions in the Google Play version of the application they found that it: “Requires special and high risk permissions.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

On download it requested access to the READ_LOGS which according to the Google Android developers guide gives the application permission to read the low-level system log files of the device, personal information is often contained within these logs. This is not a normal request by an app, much less a simple weather forecast app.

The second permission it requested was SYSTEM_ALERT_WINDOW and WRITE_SETTINGS. Secure-D note that this permission will allow any application to initiate: “System-level interaction with the user and allow an application to read or write the system settings of the phone.”

Normally if an application wants to have either of these permission approved, it must request approval from the user and have the permissions clearly stated within the files manifest. The application does not ask the user for authorisation for either of these permissions.

Weather-Simple Weather Forecast

The Weather-Simple weather forecast app was pre-installed on a selection of mobile devices made by China-based TCL Communications Technology Holdings for Alcatel.

Along with allowing the above permissions, the pre-installed version also self-approved permission to access ‘BILLING’, this allows an application to use in-app billing.

The pre-installed version of the application used these permissions to attempt purchases from premium digital services.

“In Brazil, 2.5 million transaction attempts initiated from this Weather application on Alcatel devices were blocked in July and August 2018. Those 2.5 million transaction attempts to purchase a digital service originated from 128,845 unique mobile phone numbers.”

In an indication of the global scale of the problem 79,940 transaction attempts from Alcatel devices were blocked in Kutwait. While further attempts were blocked in Egypt, Tunisia, South Africa and Nigeria.

The Google Play Store version of the application is no longer available and Google have stated that they do not comment on individual apps in the Play Store.

Alcatel is a French brand of mobile handsets owned by Finnish consumer electronics company Nokia and used under license by Chinese electronics company TCL Corporation. Neither company has responded to request from Computer Business Review for comment.

See Also: High Toxicity Linux Vulnerabilities Could Cause System Down for Red Hat, Debian

It is unclear why the instances cited by Secure-D only appeared in certain countries and apparently on hardware with the app pre-installed. Computer Business Review has contacted the company for more details.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.