Image: Alcatel

A weather app that comes preinstalled on Alcatel smartphones contained malware that surreptitiously subscribed device owners to premium phone numbers behind their backs.

The app, named "Weather Forecast-World Weather Accurate Radar," was developed by TCL Corporation, a Chinese electronics company that among other things owns the Alcatel, BlackBerry, and Palm brands.

The app is one of the default apps that TCL installs on Alcatel smartphones, but it was also made available on the Play Store for all Android users --where it had been downloaded and installed more than ten million times.

But at one point last year, both the app included on some Alcatel devices and the one that was available on the Play Store were compromised with malware. How the malware was added to the app is unclear. TCL has not responded to phone calls requesting comment made by ZDNet this week.

App caused financial losses to users

The infection came to light last summer, when Upstream, a UK-based mobile security firm, discovered suspicious traffic originating from the smartphones of some of its customers.

In a report published this week and shared with ZDNet, the company says it initially detected that the app was harvesting users' data and sending it to a server in China. The app collected geographic locations, email addresses, and IMEI codes, which it sent back to TCL.

But this weather app isn't the only suspicious app with intrusive permissions that collects data and sends it back to China. There are plenty of those around already.

Upstream devs also found that in certain regions, the malicious code hidden inside the app would also attempt to subscribe users to premium phone numbers that incurred large charges on users' phone bills.

In Brazil, 2.5 million transaction attempts initiated from this Weather application on Alcatel devices were blocked in July and August 2018. Those 2.5 million transaction attempts to purchase a digital service originated from 128,845 unique mobile phone numbers.

In Brazil again but for another premium digital service, 428,291 transaction attempts initiated from this Weather application on Alcatel devices were blocked in July and August 2018.

In Kuwait, 78,940 transactions attempts initiated from Alcatel devices were blocked in July and August 2018.

Transaction attempts initiated by this Weather application on Alcatel devices were also blocked in Nigeria, South Africa, Egypt, and Tunisia.

All in all, the company says it detected and blocked over 27 million transaction attempts across seven markets, which would have created losses of around $1.5 million to phone owners if they hadn't been blocked.

On top of these transactions, Upstream devs also spotted adware-like behavior that originated from an infected phone they've purchased from its former owner.

The weather app, which ran in the phone's background, also started hidden browser windows that loaded web pages and clicked on ads. "We recorded 50MB to 250MB of data per day being consumed by the application's unwanted activity," researchers said.

This means that on top of driving up phone bills by subscribing users to premium numbers, the app was also most likely depleting internet access data plans, incurring even more financial losses to victims.

Two Alcatel smartphone models mainly affected

According to Upstream, most of the behavior they've seen originated only from two types of smartphones, Pixi 4 and A3 Max models. However, the company doesn't have a worldwide view into infected devices, and many more could still be infected, especially users who downloaded the app from the Play Store.

Google has removed the app (com.tct.weather) from the Play Store after Upstream worked with Wall Street Journal reporters to notify both TCL and Google.

The point of the compromise doesn't appear to be with some shady phone supplier or rogue telecom provider in any of the affected countries, mainly because both the preinstalled and Play Store apps were affected in the same way.

The source of the infection appears to be a TCL developer who had his system compromised, although this is only a theory.

"The suspicious activity stopped after the WSJ contacted TCL," an Upstream spokesperson told ZDNet yesterday via email, "although the data collection continued."

Upstream told ZDNet that it's currently working with TCL on investigating the issue further. The company also said they didn't analyze the other apps uploaded on the Play Store from the same TCL account, but they didn't find any suspicious activity originating from them either.

Image: Upstream

More security news: