Popular App Weather Forecast Collects Too Much User Data and is Attempting To Subscribe Some Users To Paid Services Without Permission

A popular weather app built by a Chinese tech conglomerate has been collecting an unusual amount of data from smartphones around the world and attempting to subscribe some users to paid services without permission, according to a London-based security firm's research. From a report: The free app, one of the world's most-downloaded weather apps in Google's Play store, is from TCL Communication Technology Holdings, of Shenzhen, China. TCL makes Alcatel- and BlackBerry -branded phones, while a sister company makes televisions. The app, called "Weather Forecast --World Weather Accurate Radar," collects data including smartphone users' geographic locations, email addresses and unique 15-digit International Mobile Equipment Identity (IMEI) numbers on TCL servers in China, according to Upstream Systems, the mobile commerce and security firm that found the activity. Until last month, the app was known as "Weather -- Simple weather forecast."

The weather app also has attempted to surreptitiously subscribe more than 100,000 users of its low-cost Alcatel smartphones in countries such as Brazil, Malaysia and Nigeria to paid virtual-reality services, according to Upstream Systems. The security firm, which discovered the activity as part of its work for mobile operators, said users would have been billed more than $1.5 million had it not blocked the attempts.

The Weather Network

There's an official app, just use that. Sure it's bloated to all hell and there's ads, but at least, you know your data ain't going to China.

Re: The Weather Network

I heard the savings - accounting for tangential savings - was more than six times higher

Re:The Weather Network

There's an official app, just use that. Sure it's bloated to all hell and there's ads, but at least, you know your data ain't going to China.

Oh? How can you know that?

Nevermind that on any platform from Google, you never know where any of your data is or isn't being sold to.

Well, you do. This is money-grubbing, selling-out-to-China, evil Google we're talking about. Your data is sold to anyone and everyone. Even after you selected the options to prevent that.

Re:The Weather Network

How do you know data ain't going to China?

Ad company collect your data through apps, ad company sell data to others. Usually, other ad companies, but the customer could very well be foreign intelligence agencies, including Chinese. They would all like to have everybody's contact lists - because that sort of thing tells "who knows who" which is useful for figuring out who the hidden operatives are. Weather apps are popular, so they are good for this sort of collection.Later, an "upgrade" can be used to add call snooping for especially interesting phones.

Re:The Weather Network - sells your data

they sell your data, they might not subscribe you to services but they sell your data like any advertising company does

Re:Android Sucks

There are several weather apps on F-Droid.

Apparently it is this London based team?

[FormOfActionBanana]

https://guardianapp.com/ios-ap...

That is my best guess from a Google search. Could anybody read the article and see who the researchers are?

Re:Apparently it is this London based team?

Could anybody read the article and see who the researchers are?

HAHAHAHA!!! Good one

Re:Apparently it is this London based team?

NEW DELHI-A popular weather app built by a Chinese tech conglomerate has been collecting an unusual amount of data from smartphones around the world and attempting to subscribe some users to paid services without permission, according to a London-based security firm's research.

The free app, one of the world's most-downloaded weather apps in Google's Play store, is from TCL Communication Technology Holdings Ltd., of Shenzhen, China. TCL makes Alcatel- and BlackBerry -branded phones, while a sister company makes televisions.

The app, called "Weather Forecast-World Weather Accurate Radar," collects data including smartphone users' geographic locations, email addresses and unique 15-digit International Mobile Equipment Identity (IMEI) numbers on TCL servers in China, according to Upstream Systems, the mobile commerce and security firm that found the activity. Until last month, the app was known as "Weather-Simple weather forecast."

A TCL spokesman didn't address queries about the amount of data the app collects.

The weather app also has attempted to surreptitiously subscribe more than 100,000 users of its low-cost Alcatel smartphones in countries such as Brazil, Malaysia and Nigeria to paid virtual-reality services, according to Upstream Systems. The security firm, which discovered the activity as part of its work for mobile operators, said users would have been billed more than $1.5 million had it not blocked the attempts.

After The Wall Street Journal made inquiries about the app's activities in November, TCL updated the app in Google's Play store. The app then stopped trying to subscribe users to services, according to Upstream, though the data collection continues.

The TCL spokesman said the company has various security safeguards in place but is now "evaluating new security consultants who can provide additional validation of the safety of our mobile applications we develop." He didn't comment on the attempted subscriptions.

Many popular smartphone apps collect a variety of data, and weather apps typically need a user's location to provide weather information. But TCL's app asks for data beyond the norm, such as the IMEI number and email addresses, according to Michael Covington, an executive at Wandera, a San Francisco mobile security firm that reviewed the app's functionality at The Wall Street Journal's request.

"I wouldn't install that app," said Mr. Covington, Wandera's vice president of product strategy. "It's really questionable when an app that has such a benign functionality is taking information that is uniquely identifiable."

"All the activity happens in the background," said Dimitris Maniatis, a security executive at Upstream. "There is no opportunity for the user to see a warning."

Widening smartphone use and the ability of mobile advertising to target users around the world create "the ideal setup" for malicious activity, said Upstream Chief Executive Guy Krief. Hundreds of millions of people, especially in emerging markets, are accessing the internet for the first time on low-cost devices.

Since TCL released the app in December 2016, it has been downloaded more than 10 million times. It has ranked among the top five weather apps in some 30 countries, according to mobile-app analytics firm App Annie.

In 2018, it was the sixth most popular weather app in the U.K. and in Canada, and in 2017 it was among the 20 most popular in the U.S., according to App Annie. It is especially popular in countries such as Brazil, Mexico and the Philippines.

The weather app is designed for smartphones running Google's Android operating system. There is no version for Apple's iOS.

A Google spokesman said the company doesn't comment on individual apps.

Google's app store suspended two apps from Chinese companies in December following allegations they could have been used in an ad fraud scheme.

The TCL app's attempted subscriptions came from a pre-installed version of the app on Alcatel smartphones that cannot be deleted from the d

Re:Apparently it is this London based team?

[FormOfActionBanana]

The word "London" doesn't even appear in the article text?

Re:Apparently it is this London based team?

I know it requires a lot more focus than most posters are typically capable of, but try finishing the first goddamn sentence of the article before you say London doesn't appear in the article text.

"...according to a London-based security firm's research"

Re:Apparently it is this London based team?

[FormOfActionBanana]

Upstream Systems, https://www.upstreamsystems.co...

Wow, you are correct that I am not very smart today. Or blind...

Open weather network ?

[johnjones]

so whats the best open weather data network ?

I'm not after predictions, just data

Re:Open weather network ?

[Nidi62]

so whats the best open weather data network ?

I'm not after predictions, just data

A window?

Re:Open weather network ?

OpenWeatherMap's free public API is quite enough. That's what the FOSS apps seem to use.

Re:Open weather network ?

[Calydor]

You missed such a perfect chance to simply reply 'Windows' instead of 'A window'.

Re:Open weather network ?

[The-Ixian]

I think that the xfce4 weather widget is the best weather utility I have EVER come across.

Re:Open weather network ?

[theCoder]

If you're in the US, the NOAA website at https://www.weather.gov/ is probably your best bet. I know you can get radar images from there -- I clicked around enough at one point and found the raw frames nicely sorted by location. I'm fairly certain that's where all the weather sites get their data, anyway. With how bad places like Weather Underground has been getting lately (it keeps switching to a blank page on my smart phone for example and is otherwise insanely slow with all of its useless JS nonsense), I almost want to make my own weather site using that data. But haven't gotten around to it yet :)

Only apps can app apps!

If you didn't want modern appy apps to app apps while apping other apps, then stop using appy app phones, you filthy LUDDITES .

Apps!

Re:Only apps can app apps!

lame. not even worth a mod point

Popular apps by American tech conglomerate

Such as Google Search, Google Allo, Google Hangout, Google also collects too much user data. But let's not talk about that, let's instead find a Chinese company that does the same, and then spin the old China cyber espionage tirade.

Re:Popular apps by American tech conglomerate

Such as Google Search, Google Allo, Google Hangout, Google also collects too much user data. But let's not talk about that, let's instead find a Chinese company that does the same, and then spin the old China cyber espionage tirade.

Soooo, because Google is evil, everyone else gets a free pass?

You're not trying to say that the Chinese haven't been conducting a coordinated, massive cyber espionage effort, are you?

Re:Popular apps by American tech conglomerate

[mark-t]

What paid services has Google ever subscribed its users to without consent?

Re:Popular apps by American tech conglomerate

Such as Google Search, Google Allo, Google Hangout, Google also collects too much user data. But let's not talk about that, let's instead find a Chinese company that does the same, and then spin the old China cyber espionage tirade.

You can disagree all day long if you choose to be WRONG, but at the end of the day, I trust Google's privacy policy and their apps to be in sync a lot more than random apps sending random data to random people.

Hint... if you're not paying $$$ for it, your information is the price you are paying. That's okay, just make sure it's going to reasonably reputable companies, like Google... Apple... Microsoft.

Re:Popular apps by American tech conglomerate

>You're not trying to say that the Chinese haven't been conducting a coordinated, massive cyber espionage effort, are you?

Source on that? Right -- the very people who are doing the same thing, and then accuse others of it.

Try again.

Re:Popular apps by American tech conglomerate

You're trying to spin it again... but hey give all those reputable companies (who have been fined, sued, and taken to court multiple times over their business practices) all your personal data, location and movement information and what not, so they can keep you safe from the yellow peril.

Holy Shit

Why'd they change the name to...
World W.A.R

Apps spy on people now?

[Opportunist]

I'm shocked. Shocked I tell you!

What has the world come to? You think you get a free app and suddenly you notice that it has a nefarious purpose. Wasn't teh interwebs supposed to be the place where you get everything for free?

Re:Apps spy on people now?

[mark-t]

Sure, but it still leaves one wondering how a free app can subscribe people to paid services unless they gave it their credit card info in the first place.

Re:Apps spy on people now?

Sure, but it still leaves one wondering how a free app can subscribe people to paid services unless they gave it their credit card info in the first place.

Have you seen the bullshit perms apps 'require' these days?

There's a shocking amount which have that "subscribe to premium services (this can cost you money)" in them, even some of Google's own like Messages say this. I don't think this should be possible because there's simply no way most apps can be trusted. And since so many people will have their credit cards plugged into their phone, this is what happens.

I don't install many apps, but ones that seem to want crazy amounts of permissions just get a hard no. Wait, you're a flashlight, WTF do you need my contacts for?

Most apps are either useless, or exist to either steal your data, your money, or both. As such, I don't feel like I particularly need them. Then again, I'm not a smart phone junkie and don't really use mine much except for checking work emails, so I'm not obsessed with my phone and apps.

Most apps are written by assholes.

Re:Apps spy on people now?

[mark-t]

And since so many people will have their credit cards plugged into their phone, this is what happens.

How does one app access data that may have been given to another app on the device? I mean really, not just theoretically.

How does a free application A access credit card details that might have been plugged into application B unless application B was already willing to share them with A (and should therefore have not been trusted with CC details in the first place)?

Re:Apps spy on people now?

[tirk]

I'm not fully versed on how this works, but I believe in most cases with Apple and Android the app itself does not use your credit card or collect the info, but rather you give it permission to bill the credit card you have attached to the store (iTunes or Google Play). Sometimes it's permission for a one time charge, sometimes for a recurring one. So if you gave an app permission to charge, depending on what permissions you gave it, it could easily charge your card for another app, or possibly even pass those permissions on to another app (not sure about that one though). In general I do not have a credit card attached to either my iTunes store or my Google Play Store and just don't get apps that cost money. If on the rare times I do want a paid app, I will attach a specific low limit card I have for online purchases, make my purchase, then remove the card from the system after the expected charge has gone through. In the past I had left my card attached to the Google Play store, but on at least a couple occasions, had fraudulent charges come through the attached card.

Re:Apps spy on people now?

How does a free application A access credit card details that might have been plugged into application B unless application B was already willing to share them with A (and should therefore have not been trusted with CC details in the first place)?

Uh, that's rather the point. Basically any application B on a phone shouldn't be trusted with CC details in the first place because virtually no app can be trusted not to share that or other information with other apps. This used to be the core principle of CC numbers: never store them. Now, I'm not saying I'm not guilty of this (paypal, amazon, etc store such information). But I'm very reluctant to give out my CC details, and this is precisely why I've trusted only a few companies as proxy payment systems. I don't store login information for paypal, amazon, etc either.

Re:Apps spy on people now?

Free application A doesn't get access to B's data. Free application A requires permission: premium services. Unthinking User says sure, I'm never going to use the premium version but I still want this app running on the freemium level.

But granting the free app access to Premium Services allows it access to your phone's stored billing credentials. It's not getting it from another app, it's getting it from the OS itself through directly-requested permissions. Have you given Google Play your CC info? If so, congratulations you're halfway to being scammed like this.

Re:Apps spy on people now?

[mark-t]

My point is that if you are giving an app permission to charge your CC, then it's probably not actually free, even strictly financially speaking.

Arguing that it is free just because you don't pay anything up front is like saying that a haircut is free because you usually don't usually have to pay before you see how they cut your hair.

Re:Apps spy on people now?

[mark-t]

So then the user *DID* give permission.

The fact that may have done so only unintentionally is beside the point.

In general, that could be blamed on a user not paying attention to what they are doing more than being a genuinely malicious app (although they are certainly not mutually exclusive).

fuck that link

[AndyKron]

fuck that link I'm not whitelisting

Serves 'em right

[GameboyRMH]

Forecastie was right there in the F-Droid store the whole time.

Re: Serves 'em right

Wx is great for more indepth weather analysis.

Visit a web site

If it's something you can only access online then skip the app and just use a web site bookmark

App

[cascadingstylesheet]

So we can't trust China with a weather app, but nuclear reactors and AI are cool?

Re:App

[WindBourne]

Actually, CHina is going to stop building Nuke reactors in China. They have SERIOUS QA issues on theirs. Oddly, they will continue building for other nations, AND GE is now using Chinese manufacturing for their AP1000+ systems.

And ppl wonder why I do NOT want to see the large systems built in America.

Chinese gov thanks you

[WindBourne]

for your data.

Astro weather that doesn't track you

[Ecuador]

Shameless plug here, but if you have an iOS device (sorry, I've never tried android development) you might enjoy Xasteria's weather report for astronomers/astrophotographers, which has no registration, no tracking, no ads. I don't usually promote the service since it is kind of "niche", but maybe there are /. ers into that stuff. Otherwise, the web service 7Timer that it is based on, has non-astronomical predictions as well (based on NOAA data). I am donating the main server for that free service, so it also has no ads or tracking (well it uses a google Map API if you allow your browser to share your location, so Google knows where you are as usual).

Gboard uses 500MB+ per month of background data

Not sure what the big deal is here. Gboard, Google's official keyboard for Android, sends 500MB or more of data in the background per month to who knows where even when the phone is not in use. So a little weather app sending a little bit of user data to China shouldn't be a huge deal.

Spying? You don't say

[Robert+Goatse]

"A popular weather app built by a Chinese tech conglomerate..." Say no more.

Re:Spying? You don't say

No need for any more words than that to shut off people's reasoning and critical thinking.

Subscribing to paid accounts without permission?

[mccrew]

It's also known as the "Wells Fargo App."

Google Play Store... say no more

It's just the Android tax. Do bad actors sneak into Apple's App Store? Yes, but not nearly to the same extent as scam ware and spyware blight the Play Store.

Are you WindBourne's alt?

Not so into reading are you.

Re: Are you WindBourne's alt?

Seriously, I even Ctrl-F'd to check myself. The relevant parts of the article were completely invisible to me.

Any evidence? Or just more bullshit?

Let's guess. It's secret info you 'just heard somewhere'.
Or is it more FUD you are paid to post here every day?
Any links?

Re: Any evidence? Or just more bullshit?

Newk-u-ler power will save us all!!!!1!

Same source as your avian flu scare?

IE You pulled it our of your anus like that one also?
Where is the pandemic you said you knew about here? It's been a few months now, how many dead Chinese have you counted?
How much are they paying you to promote all this fear? Or is being so blatantly dishonest and anti-China just a hobby for you now?

Re: Gboard uses 500MB+ per month of background dat

[astrofurter]

No no no no - Big Brother Google would NEVER spy on us. Because Big Brother Google loves us all!