Malware found on some Alcatel smartphones preinstalled

Malware Found

An official Alcatel app from the Google Play Store was found to be infected with malware.

The malware was found in a pre-installed weather app on Alcatel smartphones. ZDNet reports, “A pre-installed weather app on Alcatel smartphones contained malware that surreptitiously subscribed device owners with premium phone numbers behind their backs.”

The infected app is the ” Weather Forecast-World Weather Accurate Radar ” app, developed by the Chinese company TCL Corporation, which owns the Alcatel, Blackberry and Palm brands. TCL Corporation installs Alcatel smartphones with “Weather Forecast-World Weather Accurate Radar ” as the default app. It is also available in the Google Play Store for all Android users; reports indicate that it has been downloaded and installed more than 10 million times.

Last year the app became infected. The ZDNet report details, “But at one point last year both the Alcatel app and the Play Store app were compromised with malware. How the app has been added to malware is unclear. TCL did not respond to telephone calls requesting comment from ZDNet this week. “Researchers at the UK-based mobile security firm Upstream detected the infected during July-August 2018 when they found suspicious traffic originating from their customers ‘ Alcatel smartphones.

A recent report by Upstream reads, “ Over July and August 2018, through Secure-D, we observed a higher than usual number of transaction attempts in Brazil and Malaysia coming from a series of Alcatel Android smartphones (Pixi 4 and A3 Max models). Those suspicious requests were initiated by the same application named com.tct.weather in both Brazil & Malaysia.”

It further explains, “This com.tct.weather Android application is pre-installed on many Alcatel devices and is also available for download on Google Play. It offers ” precise forecasts and timely local weather warnings. ” It was downloaded from Google Play by over 10,000,000 users. Similar transaction attempts coming from Alcatel devices and the application com.tct.weather were also blocked in Nigeria, South Africa, Egypt, Kuwait and Tunisia.”

The Upstream researchers initially detected the app to be harvesting users’ data and sending it to a server located in China; the data thus sent included geographic locations, email addresses, IMEIs. As mentioned earlier, the researchers also found that the infected app also attempted to subscribe users to premium phone numbers, which would incur large charges on users’ phone bills. In July and August 2018, up to 2.5 million transaction attempts initiated by this infected app on Alcatel smartphones were blocked in Brazil; these transaction attempts to purchase a digital service came from 128,845 unique mobile numbers.

During the same period, 428,291 transaction attempts to purchase another premium digital service were also blocked in Brazil. In Kuwait, Nigeria, South Africa, Egypt and Tunisia, transaction attempts initiated by the Alcatel weather app have also been blocked. Over 27 million transaction attempts in seven markets were reportedly detected and blocked upstream; if these transaction attempts had not been blocked, they would have caused losses of around $1.5 million to telephone owners.

Upstream also detected adware-like behavior, from an infected telephone purchased by the company from its former owner. The infected weather app runs in the background and starts hidden browser windows that load the web and click ads. This would lead to a consumption of 50 MB to 250 MB of data per day, thus eliminating the Internet data plans and causing financial losses for the victims. Researchers from Upstream security found that two Alcatel smartphone models, Pixi 4 and A3 Max, were mainly affected. Upstream does not have a worldwide view of the infected devices, however, and researchers therefore believe that many other models could also be infected, especially those of users who downloaded the Google Play Store weather app.

Reports indicate that the source of the infection may be a TCL developer. The ZDNet report says, “The point of the compromise does not appear to be with some shady telephone supplier or rogue telecom provider in any of the countries concerned, mainly because both the pre-installed and Play Store apps have been affected in the same way…

The source of the infection seems to be a TCL developer who has compromised his system, although this is only a theory. “Upstream researchers joined Wall Street Journal reporters to notify TCL and Google of the problem; the infected app was removed from the Play Store after this. The ZDNet report notes, “But this weather app is not the only suspicious app that collects and sends data back to China with intrusive permissions. There are already plenty of them.”

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.