China-Made Smartphone Weather App Stole Data From 10 Million Global Users
TCL, a Chinese producer of consumer electronics, has been collecting data without permission from mobile phones that have downloaded its free weather forecast smartphone app. This app has been downloaded more than 10 million times by users around the world since it was released in December 2016.
TCL is a listed company on the Hong Kong and Shenzhen stock exchanges. It is a multinational electronics conglomerate, whose products include television sets, air conditioners, washing machines, refrigerators, and mobile phones.
TCL Communication Technology Holdings, a subsidiary that manufactures smart devices and develops mobile apps, is one of TCL’s core businesses. TCL Communication also owns French phone manufacturer Alcatel and Canadian phone brand Blackberry. In 2016, TCL sold 68.77 million cell phones in 160 countries and regions.
The Wall Street Journal first reported Jan. 2 that Upstream Systems, a London-based security firm, discovered that TCL’s weather app collects user data.
The app in question is “Weather Forecast—World Weather Accurate Radar,” which is designed for Google’s Android system, and is a free download in the Google Play store. It provides weather predictions 21 days into the future, providing estimates on specific weather aspects such as humidity, wind speed, and visibility.
According to App Annie, a smartphone app analytics and marketing data supplier, TCL’s app is among the top five weather apps in about 30 countries, including the United Kingdom and Canada. In the United States, it’s among the top 20.
Upstream Systems found that TCL’s app collects users’ geographic locations, email addresses, and International Mobile Equipment Identity, a unique ID assigned to each authenticated cell phone, and keeps the data on TCL servers in China.
The security firm also discovered that the weather app surreptitiously subscribed users of TCL’s low-cost Alcatel smartphone in Brazil, Malaysia, Nigeria, and other developing countries to its paid virtual-reality services. About 100,000 Alcatel phones were automatically subscribed, which would have billed the users more than $1.5 million had the firm not discovered it.
After the Wall Street Journal made inquiries to TCL, the company updated the weather app in November 2018. The app stopped automatically subscribing users, according to Upstream. But the data collection continues.
China-Made Apps May Be Unsafe
This isn’t the first time that TCL products brought risks to its users.
In November 2017, Alcatel updated a photo-editing app named “Gallery” (later named “Candy Gallery”), available for download on the Google Play store. Different from the previous version that only asked for access to files in the smartphone, the updated version asked for permission to access device ID information, SMS text messaging, Wi-Fi connection, and other information not related to photo-editing.