Update, Saturday, January 5 at 6:11 p.m. ET: TCL has responded to our request for comment about the security concerns for its Weather Forecast app. In a statement, the company says it will remove the app from the Google Play Store temporarily and that it is working with an unnamed outside security firm to investigate the claims made by Upstream Systems. TCL did state that it had already updated the app to get rid of any third-party SDK access and that the update “did remove the unauthorized actions implemented by a third-party accessing our application SDK.” The company did not offer any specifics on what those “unauthorized actions” were. TCL claims the data from its mobile apps is stored in the U.S. via AWS, and if any data was sent elsewhere, it was unauthorized.
The company claims it has made every effort to keep personal data collected from its apps secure and that the data is only supposed to “serve specific purposes relating to our product.” The apps themselves go through an antivirus service called VirusTotal, according to TCL, in addition to going through Google’s own security system before being published. In regards to the Weather Forecast app, TCL said it did previously collect IMEI data “to enable end user to exercise the right of deletion of their data stored in our server.” However, it added that IMEI info is no longer collected via the app in favor of Android ID for data deletion. The app did collect location data to “offer better user experience,” and it also collects email info but only “if the end user decides to send us his/her email together with other comments voluntarily to get in touch with us.”
Original story, January 4 at 3:02 p.m. ET: According to BBC, free weather app Weather Forecast — World Weather Accurate Radar has been collecting an inordinate amount of information. The developer behind the app? TCL, the company that manufactures Alcatel and BlackBerry smartphones.
Security and mobile commerce firm Upstream Systems found that the app transmits information to servers in China. Collected information includes email addresses, IMEI numbers, and your location.
Exacerbating matters is the finding that Weather Forecast attempted to subscribe users to pornography and virtual reality services. Affected users include Alcatel smartphone owners in Brazil, Malaysia, and Nigeria.
Brazil, in particular, received over 2.5 million subscription attempts between July and August 2018.
To TCL’s credit, Weather Forecast no longer tries to subscribe users to third-party services. However, Upstream Systems found that the app still collects the aforementioned information.
This isn’t the first time TCL released a sketchy app that collected a weird amount of information. In January 2018, folks noticed that a third-party app on the Play Store replaced the default gallery app on their Alcatel smartphones. Called Candy Gallery, the app asked for a laundry list of permissions when first opened. The app’s cryptographic key matched that of Alcatel’s old gallery app. That could mean Alcatel either sold the app itself or the app listing.