Generic Characteristics

Com.tct.weather is an advanced malware designed to siphon a lot of data and attempt fraudulent transactions. Malware has been found pre-installed on Alcatel Android devices manuftactured by TCL Corporation, a Chinese tech firm known for making the Alcatel and Blackberry devices. The application is also available for download** on the Google Play store and has more than 10 million installs with a seemingly healthy 4.4 user rating. It is a Weather forecast application and provides “accurate forecasts and timely local weather alerts”.

The application com.tct.weather collects and transmits geographic locations, email addresses, IMEIs to a server in China and has a number of privacy invasive permissions on the device.

Had it not been blocked it would have succeeded to subscribe users on Alcatel Android smartphones (Pixi 4 and A3 Max models) in countries like Brazil, Malaysia and Nigeria to paid services for which users would have been billed more than $1.5 million. This activity occurred in the background and succeeded in remaining undetected by the users, making this a potent and far reaching malware.

Threat Behavior

We launched a process to purchase multiple devices from their owners with the purpose of investigating them in our lab. As soon as the device was placed in the “sandbox”, the com.tct.weather Android application immediately initiated calls to servers that are not related to the application’s main function. The application collects and transfers users’ personal information to servers in China. Based on our observations, the app collects the user’s device ID, email and location having achieved consent via the following way:

app permissions page

 

The application also started – in the background (i.e. not visible to the user) – accessing web pages with digital ads. A specific url (of the domain traffic.tc-clicks.com) was being continuously requested by the app, which in turn was redirecting to web pages with digital ads. The application was then clicking the buttons on those pages, committing click fraud.

In the examples below ad-fraud is committed by loading a page with ads and also fraudulent clicks triggered the purchase of a paid subscription (the JokerVR service) and consequent charges to the airtime of the user.

 

Intermediate Page Loaded for Ad-Fraud Purposes

Intermediate Page example 1 Intermediate Page example 2

 

Subscription Service Page

subscription page example 1 subscription page example 2


In this 2nd example, the application went through multiple urls eventually redirecting it to the purchase page of a premium digital service available to subscribers of
TIM Brazil (one of the largest mobile operators in Brazil). The SIM card on the device under investigation was one of TIM in Brazil.

The application then proceeded with clicking the “Assinar” (subscribe) button and attempted to subscribe the user to the premium service. The same process was applied to the following page where the user should confirm its purchase, with the application clicking on the “Confirmar Assinatura” (confirm subscription) button.

Following the above attempts, the application then proceeded with contacting another server via a url that again led to web pages with digital ads on which the application performed fraudulent clicks. All this activity, untriggered and non visible to the user, consumes important amounts of data. We recorded 50MB to 250MB of data per day being consumed by the application’s fraudulent activity.

Android permission abuse

While investigating the application we extracted the pre-installed apk file and analyzed the permissions it has access to, finding them to be misused and providing a seemingly simple Weather forecasting application with excessive permissions able to gather and transmit personal information from the user.

The pre-installed and the downloadable on Google Play Store version of the com.tct.weather application require different Android permissions (capabilities or information that the application can access).

Google Play downloadable version: it requires special and high risk permissions like the ones below:

‘READ_LOGS’ access: an intrusive access, which according to Google’s Android developers guide allows an application to “read the low-level system log files” and is “Not for use by third-party applications, because Log entries can contain the user’s private information

SYSTEM_ALERT_WINDOW and WRITE_SETTINGS : according to Google’s Android developers guide, these are permissions that very few applications should use as they are intended for system-level interaction with the user and allow an application to read or write the system settings of the phone. If an app needs one of these permissions, it must declare the permission in the manifest (file with all the essential information about the application to the Android system) and request the user’s authorization. The com.tct.weather application does not ask users for any such authorization.

Pre-installed version: in addition to the permissions required by the downloadable version, the pre-installed application also requires access to:

BILLING which is used for in-app billing, even though the application does not include any Google Play billing functionality.

Consequences on the Users

It is worth mentioning that the vast majority of users we contacted verified they were experiencing their phone was “acting up”. Most complained about unwanted charges and their device/ battery overheating (from CPU overuse).

It seems that users across multiple countries are being affected by the pre-installed application com.tct.weather or when downloading** TCL’s Weather-Simple weather forecast from Google’s official Play Store, resulting in:

— Systematic collection & transfer of their personal information to servers in China.

— Depletion of their data allowance: a major issue in emerging markets where the cost of data is dramatically high.

— Fraudulent transactions and charges to their prepaid airtime which is the only way users can pay for digital services in emerging markets.

Cure

Whether pre-installed on Alcatel devices or downloaded from Google’s official Play Store, you should take certain actions to keep your android device protected.

  1. Check if com.tct.weather is pre-installed on your device and make sure to uninstall the specific app and any other apps that are not from trusted sources.
  2. When downloading apps from Google Play Store, make sure to check the authenticity of the company that issued the app. Read the reviews and assess how genuine they are. When you decide to install a new app, check the app’s permission in “permission details” to be relevant and clearly necessary for the app to perform its stated purpose.

 

**UPDATE (5 January 2019): Following the publication of the research findings in The Wall Street Journal, the application has been removed from Google Play. Subsequently the app was returned to the Google Play Store

**UPDATE (23 September 2019): After an idle two-month period Secure-D detected and blocked 34 million fresh suspicious transaction attempts from Weather Forecast. The version of the weather app preinstalled on specific Alcatel phones and available on Google Play Store attempted to subscribe nearly 700,000 mobile consumers to premium digital services without their knowledge in just six months. It is the second time the app has been exposed for this activity.