China-based app asked for more data than the usual location request, including email addresses

An office worker in Cajamar, Brazil. A popular weather app for Android asks users for much more than their location and tried to subscribe some Alcatel smartphone users in Brazil to paid virtual-reality services.

NEW DELHI—A popular weather app built by a Chinese tech conglomerate has been collecting an unusual amount of data from smartphones around the world and attempting to subscribe some users to paid services without permission, according to a London-based security firm’s research.

The free app, one of the world’s most-downloaded weather apps in Google’s Play store, is from TCL Communication Technology Holdings Ltd., of Shenzhen, China. TCL makes Alcatel- and BlackBerry -branded phones, while a sister company makes televisions.

The app, called “Weather Forecast—World Weather Accurate Radar,” collects data including smartphone users’ geographic locations, email addresses and unique 15-digit International Mobile Equipment Identity (IMEI) numbers on TCL servers in China, according to Upstream Systems, the mobile commerce and security firm that found the activity. Until last month, the app was known as “Weather—Simple weather forecast.”

A TCL spokesman didn’t address queries about the amount of data the app collects.

The weather app also has attempted to surreptitiously subscribe more than 100,000 users of its low-cost Alcatel smartphones in countries such as Brazil, Malaysia and Nigeria to paid virtual-reality services, according to Upstream Systems. The security firm, which discovered the activity as part of its work for mobile operators, said users would have been billed more than $1.5 million had it not blocked the attempts.

After The Wall Street Journal made inquiries about the app’s activities in November, TCL updated the app in Google’s Play store. The app then stopped trying to subscribe users to services, according to Upstream, though the data collection continues.

The TCL spokesman said the company has various security safeguards in place but is now “evaluating new security consultants who can provide additional validation of the safety of our mobile applications we develop.” He didn’t comment on the attempted subscriptions.

Many popular smartphone apps collect a variety of data, and weather apps typically need a user’s location to provide weather information. But TCL’s app asks for data beyond the norm, such as the IMEI number and email addresses, according to Michael Covington, an executive at Wandera, a San Francisco mobile security firm that reviewed the app’s functionality at The Wall Street Journal’s request.

“I wouldn’t install that app,” said Mr. Covington, Wandera’s vice president of product strategy. “It’s really questionable when an app that has such a benign functionality is taking information that is uniquely identifiable.”

“All the activity happens in the background,” said Dimitris Maniatis, a security executive at Upstream. “There is no opportunity for the user to see a warning.”

Widening smartphone use and the ability of mobile advertising to target users around the world create “the ideal setup” for malicious activity, said Upstream Chief Executive Guy Krief. Hundreds of millions of people, especially in emerging markets, are accessing the internet for the first time on low-cost devices.

Since TCL released the app in December 2016, it has been downloaded more than 10 million times. It has ranked among the top five weather apps in some 30 countries, according to mobile-app analytics firm App Annie.

In 2018, it was the sixth most popular weather app in the U.K. and in Canada, and in 2017 it was among the 20 most popular in the U.S., according to App Annie. It is especially popular in countries such as Brazil, Mexico and the Philippines.

The weather app is designed for smartphones running Google’s Android operating system. There is no version for Apple’s iOS.

A Google spokesman said the company doesn’t comment on individual apps.

Google’s app store suspended two apps from Chinese companies in December following allegations they could have been used in an ad fraud scheme.

The TCL app’s attempted subscriptions came from a pre-installed version of the app on Alcatel smartphones that cannot be deleted from the devices without taking certain steps. Those wanting to use the app are asked to accept an end-user license agreement.

In its separate review, Wandera found that users of the app are led to believe pressing a button within the app deletes any collected data and pressing another stops future collection—but the app doesn’t take any such actions. A TCL spokesman declined to comment.

The Wall Street Journal in July reported that an app from a Taiwan-based mobile-advertising firm included on smartphones sold in Myanmar, Cambodia and Brazil collected extensive user data. The advertising firm, called General Mobile Corp., or GMobi., was later acquired by the Los Angeles-based digital-ad company Airpush Inc.

Justin Montgomery, Airpush’s marketing head, declined to say what specific data, if any, GMobi or Airpush now collect. “If a user purchases a lower-cost device, they do so with the expectation that certain things will be monetized to help subsidize the cost,” Mr. Montgomery said.

Users in emerging markets are particularly vulnerable to data collection, analysts say, since they are often first-time smartphone owners and most developing nations lack robust privacy rules.

In many emerging markets, consumers are also less privacy-conscious than in the U.S., “so they are easy victims or targets,” said Augustine Fou, an independent cybersecurity and ad-fraud researcher based in New York.

Write to Newley Purnell at newley.purnell @wsj.com

Advertisements