Popular App Weather Forecast Collects Too Much User Data and is Attempting To Subscribe Some Users To Paid Services Without Permission

A popular weather app built by a Chinese tech conglomerate has been collecting an unusual amount of data from smartphones around the world and attempting to subscribe some users to paid services without permission, according to a London-based security firm's research. From a report: The free app, one of the world's most-downloaded weather apps in Google's Play store, is from TCL Communication Technology Holdings, of Shenzhen, China. TCL makes Alcatel- and BlackBerry -branded phones, while a sister company makes televisions. The app, called "Weather Forecast --World Weather Accurate Radar," collects data including smartphone users' geographic locations, email addresses and unique 15-digit International Mobile Equipment Identity (IMEI) numbers on TCL servers in China, according to Upstream Systems, the mobile commerce and security firm that found the activity. Until last month, the app was known as "Weather -- Simple weather forecast."

The weather app also has attempted to surreptitiously subscribe more than 100,000 users of its low-cost Alcatel smartphones in countries such as Brazil, Malaysia and Nigeria to paid virtual-reality services, according to Upstream Systems. The security firm, which discovered the activity as part of its work for mobile operators, said users would have been billed more than $1.5 million had it not blocked the attempts.

The Weather Network

There's an official app, just use that. Sure it's bloated to all hell and there's ads, but at least, you know your data ain't going to China.

Apparently it is this London based team?

[FormOfActionBanana]

https://guardianapp.com/ios-ap...

That is my best guess from a Google search. Could anybody read the article and see who the researchers are?

Re:Apparently it is this London based team?

NEW DELHI-A popular weather app built by a Chinese tech conglomerate has been collecting an unusual amount of data from smartphones around the world and attempting to subscribe some users to paid services without permission, according to a London-based security firm's research.

The free app, one of the world's most-downloaded weather apps in Google's Play store, is from TCL Communication Technology Holdings Ltd., of Shenzhen, China. TCL makes Alcatel- and BlackBerry -branded phones, while a sister company makes televisions.

The app, called "Weather Forecast-World Weather Accurate Radar," collects data including smartphone users' geographic locations, email addresses and unique 15-digit International Mobile Equipment Identity (IMEI) numbers on TCL servers in China, according to Upstream Systems, the mobile commerce and security firm that found the activity. Until last month, the app was known as "Weather-Simple weather forecast."

A TCL spokesman didn't address queries about the amount of data the app collects.

The weather app also has attempted to surreptitiously subscribe more than 100,000 users of its low-cost Alcatel smartphones in countries such as Brazil, Malaysia and Nigeria to paid virtual-reality services, according to Upstream Systems. The security firm, which discovered the activity as part of its work for mobile operators, said users would have been billed more than $1.5 million had it not blocked the attempts.

After The Wall Street Journal made inquiries about the app's activities in November, TCL updated the app in Google's Play store. The app then stopped trying to subscribe users to services, according to Upstream, though the data collection continues.

The TCL spokesman said the company has various security safeguards in place but is now "evaluating new security consultants who can provide additional validation of the safety of our mobile applications we develop." He didn't comment on the attempted subscriptions.

Many popular smartphone apps collect a variety of data, and weather apps typically need a user's location to provide weather information. But TCL's app asks for data beyond the norm, such as the IMEI number and email addresses, according to Michael Covington, an executive at Wandera, a San Francisco mobile security firm that reviewed the app's functionality at The Wall Street Journal's request.

"I wouldn't install that app," said Mr. Covington, Wandera's vice president of product strategy. "It's really questionable when an app that has such a benign functionality is taking information that is uniquely identifiable."

"All the activity happens in the background," said Dimitris Maniatis, a security executive at Upstream. "There is no opportunity for the user to see a warning."

Widening smartphone use and the ability of mobile advertising to target users around the world create "the ideal setup" for malicious activity, said Upstream Chief Executive Guy Krief. Hundreds of millions of people, especially in emerging markets, are accessing the internet for the first time on low-cost devices.

Since TCL released the app in December 2016, it has been downloaded more than 10 million times. It has ranked among the top five weather apps in some 30 countries, according to mobile-app analytics firm App Annie.

In 2018, it was the sixth most popular weather app in the U.K. and in Canada, and in 2017 it was among the 20 most popular in the U.S., according to App Annie. It is especially popular in countries such as Brazil, Mexico and the Philippines.

The weather app is designed for smartphones running Google's Android operating system. There is no version for Apple's iOS.

A Google spokesman said the company doesn't comment on individual apps.

Google's app store suspended two apps from Chinese companies in December following allegations they could have been used in an ad fraud scheme.

The TCL app's attempted subscriptions came from a pre-installed version of the app on Alcatel smartphones that cannot be deleted from the d

Re:Apparently it is this London based team?

[FormOfActionBanana]

The word "London" doesn't even appear in the article text?

Re:Apparently it is this London based team?

[FormOfActionBanana]

Upstream Systems, https://www.upstreamsystems.co...

Wow, you are correct that I am not very smart today. Or blind...

Open weather network ?

[johnjones]

so whats the best open weather data network ?

I'm not after predictions, just data

Re:Open weather network ?

[Nidi62]

so whats the best open weather data network ?

I'm not after predictions, just data

A window?

Re:Open weather network ?

OpenWeatherMap's free public API is quite enough. That's what the FOSS apps seem to use.

Re:Open weather network ?

[Calydor]

You missed such a perfect chance to simply reply 'Windows' instead of 'A window'.

Re:Open weather network ?

[The-Ixian]

I think that the xfce4 weather widget is the best weather utility I have EVER come across.

Re:Open weather network ?

[theCoder]

If you're in the US, the NOAA website at https://www.weather.gov/ is probably your best bet. I know you can get radar images from there -- I clicked around enough at one point and found the raw frames nicely sorted by location. I'm fairly certain that's where all the weather sites get their data, anyway. With how bad places like Weather Underground has been getting lately (it keeps switching to a blank page on my smart phone for example and is otherwise insanely slow with all of its useless JS nonsense), I almost want to make my own weather site using that data. But haven't gotten around to it yet :)

Apps spy on people now?

[Opportunist]

I'm shocked. Shocked I tell you!

What has the world come to? You think you get a free app and suddenly you notice that it has a nefarious purpose. Wasn't teh interwebs supposed to be the place where you get everything for free?

Re:Apps spy on people now?

[mark-t]

Sure, but it still leaves one wondering how a free app can subscribe people to paid services unless they gave it their credit card info in the first place.

Re:Apps spy on people now?

[mark-t]

And since so many people will have their credit cards plugged into their phone, this is what happens.

How does one app access data that may have been given to another app on the device? I mean really, not just theoretically.

How does a free application A access credit card details that might have been plugged into application B unless application B was already willing to share them with A (and should therefore have not been trusted with CC details in the first place)?

Re:Apps spy on people now?

[tirk]

I'm not fully versed on how this works, but I believe in most cases with Apple and Android the app itself does not use your credit card or collect the info, but rather you give it permission to bill the credit card you have attached to the store (iTunes or Google Play). Sometimes it's permission for a one time charge, sometimes for a recurring one. So if you gave an app permission to charge, depending on what permissions you gave it, it could easily charge your card for another app, or possibly even pass those permissions on to another app (not sure about that one though). In general I do not have a credit card attached to either my iTunes store or my Google Play Store and just don't get apps that cost money. If on the rare times I do want a paid app, I will attach a specific low limit card I have for online purchases, make my purchase, then remove the card from the system after the expected charge has gone through. In the past I had left my card attached to the Google Play store, but on at least a couple occasions, had fraudulent charges come through the attached card.

Re:Apps spy on people now?

[mark-t]

My point is that if you are giving an app permission to charge your CC, then it's probably not actually free, even strictly financially speaking.

Arguing that it is free just because you don't pay anything up front is like saying that a haircut is free because you usually don't usually have to pay before you see how they cut your hair.

Re:Apps spy on people now?

[mark-t]

So then the user *DID* give permission.

The fact that may have done so only unintentionally is beside the point.

In general, that could be blamed on a user not paying attention to what they are doing more than being a genuinely malicious app (although they are certainly not mutually exclusive).

fuck that link

[AndyKron]

fuck that link I'm not whitelisting

Re:Popular apps by American tech conglomerate

[mark-t]

What paid services has Google ever subscribed its users to without consent?

Serves 'em right

[GameboyRMH]

Forecastie was right there in the F-Droid store the whole time.

Visit a web site

If it's something you can only access online then skip the app and just use a web site bookmark

App

[cascadingstylesheet]

So we can't trust China with a weather app, but nuclear reactors and AI are cool?

Re:App

[WindBourne]

Actually, CHina is going to stop building Nuke reactors in China. They have SERIOUS QA issues on theirs. Oddly, they will continue building for other nations, AND GE is now using Chinese manufacturing for their AP1000+ systems.

And ppl wonder why I do NOT want to see the large systems built in America.

Re:Popular apps by American tech conglomerate

Such as Google Search, Google Allo, Google Hangout, Google also collects too much user data. But let's not talk about that, let's instead find a Chinese company that does the same, and then spin the old China cyber espionage tirade.

You can disagree all day long if you choose to be WRONG, but at the end of the day, I trust Google's privacy policy and their apps to be in sync a lot more than random apps sending random data to random people.

Hint... if you're not paying $$$ for it, your information is the price you are paying. That's okay, just make sure it's going to reasonably reputable companies, like Google... Apple... Microsoft.

Chinese gov thanks you

[WindBourne]

for your data.

Astro weather that doesn't track you

[Ecuador]

Shameless plug here, but if you have an iOS device (sorry, I've never tried android development) you might enjoy Xasteria's weather report for astronomers/astrophotographers, which has no registration, no tracking, no ads. I don't usually promote the service since it is kind of "niche", but maybe there are /. ers into that stuff. Otherwise, the web service 7Timer that it is based on, has non-astronomical predictions as well (based on NOAA data). I am donating the main server for that free service, so it also has no ads or tracking (well it uses a google Map API if you allow your browser to share your location, so Google knows where you are as usual).

Spying? You don't say

[Robert+Goatse]

"A popular weather app built by a Chinese tech conglomerate..." Say no more.

Subscribing to paid accounts without permission?

[mccrew]

It's also known as the "Wells Fargo App."

Re: Gboard uses 500MB+ per month of background dat

[astrofurter]

No no no no - Big Brother Google would NEVER spy on us. Because Big Brother Google loves us all!