Weather app harvests personal data, security experts warn

  • Published
Sunset in BrazilImage source, Getty Images
Image caption,
A sunset in Rio de Janeiro. A weather app has tried to subscribe hundreds of thousands of Brazilian users to paid services.

A popular weather app has been collecting unusual amounts of information from its users, security experts claim.

Data including email addresses and mobile identity numbers have been transmitted to servers based in China.

The free app, 'Weather Forecast—World Weather Accurate Radar', has also subscribed users to paid services without permission.

It has been downloaded more than 10 million times from Google's Play store.

The software is made by TCL Communication Technology Holdings Ltd., based in Shenzhen, China.

The company manufactures Alcatel and Blackberry-branded smartphones, which come with the weather app pre-installed.

According to the security and mobile commerce firm, Upstream Systems, TCL's 'Weather Forecast' asks to collect information including users' geographic locations, email addresses and International Mobile Equipment Identity (IMEI) numbers - a 15-digit code used to identify devices.

The security firm says TCL has also been attempting to subscribe users of budget Alcatel smartphones in Brazil, Malaysia and Nigeria to paid services for virtual reality, and separately loading pages - including pornography - to generate fraudulent click on adverts.

It says Brazil alone received 2.5 million transaction attempts from Alcatel devices in July and August 2018, which were blocked after the company discovered the activity. These originated from 128,845 unique mobile phone numbers, and are understood to have stemmed from both the pre-installed and Google Play versions of the app.

Upstream Systems told the BBC the app is no longer attempting to subscribe users to third-party services. But it continues to collect data.

The BBC has asked TCL for comment.

Excessive Information

In December, Google suspended two other Chinese apps from its Play store after allegations that they were exploiting user permissions as part of an ad fraud scheme.

Last week, the The Internet Society of China convened a panel with the country's Information and Communication Administration, to present the results of an analysis into data-gathering practices.

It found that 18 of the most popular apps in the country collected what it deemed excessive user information - including text messages, address book data and recordings. Nine of the apps appeared to do this without consent, including the Baidu mobile assistant.

"I think that China as the bad guy here is a red herring," security expert Davey Winder told the BBC. "There is a rush to accuse Chinese tech of spying on behalf of the state.

"Criminals are the problem, whether the default intention of the app developer, or as a result of a successful compromise attack by hackers who have inserted their own malicious code into an update."

According to Mr Winder, the spread of low-cost smartphones across emerging markets is playing a key role in how malicious data gathering evolves:

"Emerging markets, by their very nature, tend to have less mature supply chains and that immaturity extends to security processes," said Mr Winder. "This makes them an attractive target for criminals looking to scrape additional profit from their involvement."

Outside of China, privacy advocates Privacy International recently raised concerns about Android app developers sharing data with Facebook via the company's Software Development Kit (SDK).

It found that 61 percent of the apps it tested automatically transferred data to Facebook as soon as a user opened the app - regardless of whether they had a Facebook account. Combined, this data would be enough to paint an intimate portrait of a person's behaviour, the group says.