China-Made Smartphone Weather App Stole Data From 10 Million Global Users

China-Made Smartphone Weather App Stole Data From 10 Million Global Users
The TCL Mobile Communication Co. building in Huizhou City, Guangdong Province, China, on July 28, 2009. A TCL-developed weather app has been found to collect user data without permission. (LAURENT FIEVET/AFP/Getty Images)
Nicole Hao
1/6/2019
Updated:
1/6/2019

TCL, a Chinese producer of consumer electronics, has been collecting data without permission from mobile phones that have downloaded its free weather forecast smartphone app. This app has been downloaded more than 10 million times by users around the world since it was released in December 2016.

TCL is a listed company on the Hong Kong and Shenzhen stock exchanges. It is a multinational electronics conglomerate, whose products include television sets, air conditioners, washing machines, refrigerators, and mobile phones.

TCL Communication Technology Holdings, a subsidiary that manufactures smart devices and develops mobile apps, is one of TCL’s core businesses. TCL Communication also owns French phone manufacturer Alcatel and Canadian phone brand Blackberry. In 2016, TCL sold 68.77 million cell phones in 160 countries and regions.

The Wall Street Journal first reported Jan. 2 that Upstream Systems, a London-based security firm, discovered that TCL’s weather app collects user data.

The app in question is “Weather Forecast—World Weather Accurate Radar,” which is designed for Google’s Android system, and is a free download in the Google Play store. It provides weather predictions 21 days into the future, providing estimates on specific weather aspects such as humidity, wind speed, and visibility.

According to App Annie, a smartphone app analytics and marketing data supplier, TCL’s app is among the top five weather apps in about 30 countries, including the United Kingdom and Canada. In the United States, it’s among the top 20.

Upstream Systems found that TCL’s app collects users’ geographic locations, email addresses, and International Mobile Equipment Identity, a unique ID assigned to each authenticated cell phone, and keeps the data on TCL servers in China.

The security firm also discovered that the weather app surreptitiously subscribed users of TCL’s low-cost Alcatel smartphone in Brazil, Malaysia, Nigeria, and other developing countries to its paid virtual-reality services. About 100,000 Alcatel phones were automatically subscribed, which would have billed the users more than $1.5 million had the firm not discovered it.

After the Wall Street Journal made inquiries to TCL, the company updated the weather app in November 2018. The app stopped automatically subscribing users, according to Upstream. But the data collection continues.

China-Made Apps May Be Unsafe

This isn’t the first time that TCL products brought risks to its users.

In November 2017, Alcatel updated a photo-editing app named “Gallery” (later named “Candy Gallery”), available for download on the Google Play store. Different from the previous version that only asked for access to files in the smartphone, the updated version asked for permission to access device ID information, SMS text messaging, Wi-Fi connection, and other information not related to photo-editing.

Security concerns prompted U.S. company Inseego to terminate an agreement to sell its mobile internet solutions company, Novatel Wireless, to TCL in June 2017, after the Committee on Foreign Investment in the United States, an inter-agency government organization that reviews business deals for potential national security risks, flagged the deal.

In December 2018, Google suspended two Chinese smartphone apps after an internal investigation. The two apps—CM File Manager app developed by Cheetah Mobile Inc. and Keyboard app developed by Kika Tech Inc.—allegedly exploited users’ permissions, allowing the developers to conduct an ad fraud scheme, according to a Wall Street Journal report.

The Indian Times reported in Dec. 2017 that the Indian government asked all army personnel to uninstall 42 Chinese smartphone apps if they had previously installed them.

The apps, available on both Android and iOS (iPhone) systems, collected user data and sent them back to China, according to Indian intelligence agencies. The apps also had the potential to carry out cyberattacks against Indians.

The predecessor to TCL was founded in 1981 by a government mechanical bureau of Huiyang district in Huizhou City, located in China’s Guangdong Province. TCL’s headquarters is still in Huizhou City.

The company was named TKK at the time. TKK produced cassette tapes that closely resembled those made by Japanese electronics firm, TDK. In 1985, TKK was sued by TDK and subsequently changed its name to TCL. Its product line then expanded into telephones and TV sets.

Nicole Hao is a Washington-based reporter focused on China-related topics. Before joining the Epoch Media Group in July 2009, she worked as a global product manager for a railway business in Paris, France.
Related Topics