While manufacturers often include pre-installed apps on their devices, Upstream recently discovered that Alcatel smartphones came bundled with a suspicious app from TCL. The app in question, “Weather Forecast – World Accurate Radar”, was found on the company’s Pixi 4 and A3 Max devices. However, instead of just providing users with weather forecasts and local weather alerts, it was actually found to behave like a typical malicious app.
TechRadar Pro spoke with Upstream’s CEO Guy Krief to learn how the company discovered the malicious app and the ways in which it was found to be secretly collecting user data.
Can you tell us a little bit about the suspicious app your company discovered on Alcatel smartphones?
Upstream’s security platform, Secure-D, detected suspicious activity initiated by an Android app named “Weather Forecast – World Weather Accurate Radar”. The app, which has since been removed, was also available on Google Play, with more than 10 million downloads, including those in the UK, USA, and France. It claimed to provide “accurate forecasts and timely local weather alerts.” The app was ranked 6 in its category in the UK. Despite user complaints, which were seemingly pushed down in the ‘ratings and reviews’ section, the app had a 4.4-star rating.
When infected devices were tested by Secure-D, the app was found to collect and transfer users’ personal information to servers online, including the user’s device ID, their email, and location. Furthermore, it was found to behave like a typical malicious app, which attempts ad fraud by loading pages with ads and clicking on them, as well as triggering subscriptions to premium services without the user’s consent. Had these fraudulent attempts not been blocked, they would have cost users up to $1.5 million in fraudulent charges.
Furthermore, this activity, which was invisible to the users, was consuming up to 250MB of their data daily and had a particularly adverse impact on consumers in emerging markets, where the cost of data is extremely high.
Alcatel is owned by Nokia and its devices are manufactured by TCL in China. Do you think that either company was aware that the manufacturer was installing a suspicious app on their devices?
Hard to say on our side. However, both apps, the pre-installed and the Google Play store one, displayed similar behaviors. Also, the suspicious activity stopped after the WSJ contacted TCL, although the data collection continued.
How was your company’s security platform Secure-D able to detect that the app was malicious and it has discovered similar apps on other devices in the past?
Mobile operators across the world use our security platform Secure-D to protect their subscribers from fraudulent transactions and charges to their airtime. Our advanced machine learning algorithms determine which transactions are most likely to be fraudulent. In this case, we recorded an unusually high number of suspicious transaction attempts coming from a specific Weather forecast application on Alcatel devices. We then purchased multiple devices from their owners and conducted an investigation in our lab.
We have only seen one other case of pre-installed suspicious application. This malicious software was developed by Chinese firm Gmobi, and pre-installed on specific Smart and Multilaser branded devices.
To date, our Secure-D platform has identified and blocked over 63,000 malicious apps that were on all kinds of devices.
The app collects and sends users’ personal information to servers in China. Is this a common practice among malicious apps?
We’ve seen other malicious apps doing the same thing. Now, data from our security platform Secure-D shows that ,on average, 8% of mobile internet subscribers in emerging markets, and 4% in developed markets, have a smartphone infected with malware. That is tens of millions of people whose personal information is being stolen without their knowledge.
Your company revealed that the app was consuming large amounts of users’ data. Are there any ways that consumers can easily check to see if an app is using more data than it should?
Yes, consumers can monitor the data consumption for each app, going for example in the settings menu of their Android device.
What tricks do malicious apps use to avoid detection on the Google Play Store and Apple App Store?
There is no validation process in the Google Play Store. So anyone can go create an account and upload an app. Google will only intervene if they receive complaints about a specific app. Therefore fraudsters can freely distribute their malicious apps until they get caught, at which point they will simply register under a new developer account and re-upload the app under a different name.
It is very hard for consumers to identify malicious apps. Most of them do offer the functionalities they advertise (like providing weather forecast). In most cases, they also have an apparent healthy user rating, which is the result of hundreds of fake one or two worded 5 star ratings.
The Apple App store is very different as every submitted app goes through a rigorous validation process. There are very few known cases of malicious apps in the Apple App Store.
What advice would you give to companies trying to combat mobile ad fraud?
This would depend on who they are.
Mobile network operators must join forces with leading security partners to protect their subscribers from the consequences of malware infection, which causes threats to airtime, mobile data depletion, and the collection and transfer of personal information.
In addition, Google must reinforce procedures which detect malware and ensure that any malicious apps are removed from the Play Store immediately. Device manufacturers also need to be more careful about the software they allow to be pre-installed on devices by 3rd party producers.
And finally, consumers themselves must be vigilant of any suspicious or odd activity on their phone, such as sudden battery depletion or their device overheating. Additionally, they should always opt to download apps from the Google Play store and also install anti-virus software on their device for advanced protection.