A well-known weather app created by Chinese developers has reportedly been harvesting unusual amounts of private data from users.
According to research from London-based security firm, Upstream Systems, and initially reported by the Wall Street Journal (WSJ), the weather forecast app ‘World Weather Accurate Radar’ has been collecting data including locations, email addresses, and mobile identity numbers.
Upstream Systems said all of the data that the app collects is transferred to servers based in China.
Weather app downloaded by 10m users
The app, which is also available on Android devices, has been downloaded more than 10 million times from Google’s Play store.
The app is made by TCL Communication Technology Holdings Ltd., a company based in Shenzen, China. TCL also manufactures Alcatel and Blackberry-branded smartphones, both of which come with the app pre-installed.
Upstream Systems said it is currently carrying out an investigation after a “high number of fraudulent transaction attempts in Brazil and Malaysia” from Alcatel devices.
The free app also subscribed 100,000 users in countries like Brazil, Malaysia, and Nigeria to paid virtual reality services without their consent.
Upstream said had they not identified the subscriptions, users would have been billed over $1.5m (£1.1m), the security firm added.
Upstream Systems researchers placed the devices in a sandbox and “the com.tct.weather Android application immediately initiated calls to servers that are not related to the application’s main function”.
TCL is no longer attempting to subscribe users to other third-party services without their knowledge. However, the company continues to gather data.
TCL told WSJ said that they have begun “evaluating new security consultants who can provide additional validation of the safety of our mobile applications we develop”.
According to App Annie, TCL’s app is among the top five weather apps in 30 countries, including the UK and Canada.