Alcatel Smartphone Pre-Installed App Infected with Malware
An official Alcatel app, available through Google Play Store, has been found to be malware infected.
It’s in a pre-installed weather app on Alcatel smartphones that the malware has been found. ZDNet reports, “A weather app that comes preinstalled on Alcatel smartphones contained malware that surreptitiously subscribed device owners to premium phone numbers behind their backs.”
The infected app is the “Weather Forecast-World Weather Accurate Radar” app, which has been developed by Chinese firm TCL Corporation, which owns the Alcatel, Blackberry and Palm brands. TCL Corporation installs “Weather Forecast-World Weather Accurate Radar” as a default app on Alcatel smartphones. It’s also available, for all Android users, on Google Play Store; reports say that it has been downloaded and installed over 10 million times. It was last year that the app got infected.
The ZDNet report details, “But at one point last year, both the app included on some Alcatel devices and the one that was available on the Play Store were compromised with malware. How the malware was added to the app is unclear. TCL has not responded to phone calls requesting comment made by ZDNet this week.”
The infected was detected by researchers at UK-based mobile security firm Upstream, during July-August 2018, when they found suspicious traffic originating from the Alcatel smartphones belonging to their customers.
A recent report by Upstream reads, “Over July and August 2018, through Secure-D, we observed a higher than usual number of transaction attempts in Brazil and Malaysia coming from a series of Alcatel Android smartphones (Pixi 4 and A3 Max models). Those suspicious requests were initiated by the same application named com.tct.weather in both Brazil & Malaysia.”
It further explains, “This com.tct.weather Android application is pre-installed on many Alcatel devices and is also available for download on Google Play. It provides “accurate forecasts and timely local weather alerts”. It has been downloaded by more than 10,000,000 users from Google Play. Similar transaction attempts coming from Alcatel devices and the application com.tct.weather were also blocked in Nigeria, South Africa, Egypt, Kuwait and Tunisia.”
The Upstream researchers initially detected the app to be harvesting users’ data and sending it to a server located in China; the data thus sent included geographic locations, email addresses, IMEIs. As mentioned earlier, the researchers also found that the infected app also attempted to subscribe users to premium phone numbers, which would incur large charges on users’ phone bills. In July and August 2018, as many as 2.5 million transaction attempts initiated from this infected app on Alcatel smartphones were blocked in Brazil; these transaction attempts, which sought to purchase a digital service, were found to originate from 128,845 unique mobile phone numbers. 428,291 transaction attempts to purchase another premium digital service were also blocked in Brazil during the same period. Transaction attempts initiated by this Alcatel weather app were also blocked in Kuwait, Nigeria, South Africa, Egypt and Tunisia. Upstream reportedly detected and blocked over 27 million transaction attempts across seven markets; if these transaction attempts had not been blocked they would have caused losses of around $1.5 million to phone owners.
Upstream also detected adware-like behavior originating from an infected phone that the company had purchased from its former owner. The infected weather app would run in the background and would start hidden browser windows that loaded web paged and also clicked on ads. This would lead to 50MB to 250MB of data being consumed per day, thereby depleting internet data plans and causing financial losses to the victims.
The Upstream security researchers found that two Alcatel smartphone models- Pixi 4 and A3 Max- were mainly affected. However, Upstream doesn’t have a worldwide view about the infected devices and hence the researchers think that many other models could also be infected, especially belonging to users who downloaded the weather app from Google Play Store.
Reports say that the source of infection could be a developer working for TCL. The ZDNet report says, “The point of the compromise doesn’t appear to be with some shady phone supplier or rogue telecom provider in any of the affected countries, mainly because both the preinstalled and Play Store apps were affected in the same way…The source of the infection appears to be a TCL developer who had his system compromised, although this is only a theory.”
Upstream is currently working with TCL on investigating the issue further. Upstream researchers joined hands with Wall Street Journal reporters to notify TCL and Google about the issue; following this Google had removed the infected app from the Play Store.
The ZDNet report notes, “But this weather app isn’t the only suspicious app with intrusive permissions that collects data and sends it back to China. There are plenty of those around already.”
Julia Sowells960 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.