ITEM: A weather forecast app has been found to be secretly making digital purchases of premium services on behalf of the phone’s owner without their consent or their knowledge. What’s more, this is actually the second time this particular app been caught doing this.
In January 2019, ‘Weather Forecast: World Weather Accurate Radar’– an Android app from China-based TCL Communications – was flagged by mobile tech firm Upstream, whose ‘Secure-D’ mobile security platform discovered the app was “triggering false premium transactions and secretly harvesting consumer data.”
After the Upstream notice went out, the app was withdrawn from the Google Play Store, and the apps that had already been downloaded (or pre-installed, in the case of Alcatel Pixi4 smartphones) ceased their background activity.
However, the Weather Forecast app resurfaced a couple months later, and according to an Upstream press release this week, the company’s platform has detected and blocked 34 million suspicious transaction attempts from the app. For Alcatel Pixi4 owners, the app secretly attempted to subscribe nearly 700,000 of them to premium digital services in a six month period.
Upstream CEO Guy Krief said in a press statement that “repeat malware offenders” are not unusual, and that it’s a much bigger problem than consumers realize:
“Unchecked, these apps can create billions of dollars of fraudulent advertising revenue while seriously impacting consumers’ pockets and mobile service experience by eating up their data, incurring unwanted charges and affecting the performance of their phones.”
Upstream warned Pixi4 owners to check their phones for unusual behaviour regularly, and check their bills for unwanted or unexpected charges, as well as signs of suspiciously increased data usage.
A plethora of permissions
What’s really remarkable is the fact that this is even still a problem, 11 whole years after the first app stores were launched by Apple and Google (in that order).
We’ve known for years that many apps – even useful ones – collect far more user data than is necessary to use the app. We’ve all seen the notices where you launch an app and it asks for permission to access your camera, contacts, microphone, etc. Those permissions make sense if the app is something like Instagram, Slack or Zoom – they make no sense if the app is a flashlight.
Similarly, a weather app doesn’t need access to much more than your phone’s location data to give you a personalized forecast. It certainly doesn’t need enough permissions to enable it to automatically make purchases for you.
Yet this sort of thing still persists, and it seems to be getting worse.
Earlier this year, Buzzfeed outed six apps from a single China based company, DO Global (a Baidu spinoff), that were secretly collecting and storing information and engaging in fraudulent ad-clicking (even if the app was closed). The apps – including selfie cameras, phone cleaners and, yes, a flashlight – also disguised the fact that DO Global was the developer. Buzzfeed also found other apps that asked for access permissions they arguably didn’t need – one called the Emoji flashlight from China-based APUS Apps required over 30 permissions. A Samsung TV remote control app from Peel Technologies asked for 58 permissions, including one to access the phone’s microphone to record audio.
Google booted the apps listed in the Buzzfeed story after it was posted, and subsequently updated its permissions evaluation process. But by then, many of these apps had already been downloaded by the tens of millions. Also, the Weather Forecast app managed to find its way back onto the Play Store – surely it’s not the only dodgy app to stage a comeback. Either way, mobile ad fraud remains a huge problem, and apps like these are a major reason why.
As long as shady apps developers can work around Google Play’s safeguards, it’s mainly up to users to pay attention to the apps they download.
Lifehacker has a helpful list of things to watch out for besides how many permissions the app requests – read the reviews carefully (many may be bot generated), check its security policy, keep your anti-virus software up to date, etc.
Also, Trend Micro has a good guide on the most abused Android app permissions – how malware exploits them, and which apps have a legitimate reason to use them.
And Upstream has a global list of the suspicious mobile apps that its platform has blocked.