The application made online transactions executed in the background
A team of network security experts detected a
suspiciously high number of online transaction attempts from Alcatel-branded
smartphones with Android
operating system, so they decided to deep dig into the issue. During their
investigation, experts discovered that a pre-installed application dedicated to
weather forecasting extracts a large amount of user data and is responsible for
such transaction attempts, as reported by experts from the International
Institute of Cyber Security.
The APK is named com.tct.weather and was signed by TLC Corporation, a Chinese technology company, manufacturer of
Alcatel and Blackberry devices. According to experts in network security, this application collects and transmits to a server in China data such
as location, email address or IMEI key, as well as having a series of too
invasive permissions. The application is also found in Google Play, has more
than 10 million download and a score of 4/5.
If it had not been blocked, the malicious
activity of this app would surely have affected Alcatel equipment users in
countries such as Brazil, Malaysia or Nigeria, charging to them costs for
around $1.5M USD. Experts report that transactions were performed in the
background, so that users were not able to detect any anomalous behavior in the
app.
These transactions were detected between July
and August 2018, mainly in Malaysia and Brazil, and were mainly linked to the Alcatel Pixi 4 and A3 Max models.
Similar operations were detected in South Africa, Nigeria, Egypt and Tunisia,
where the APK has also been blocked.
Experts in network security responsible for the
investigation managed to get some of these devices to analyze them in their lab.
In one of these smartphones (an Alcatel A3 Max), over 500 transactions
attempted were detected in just one month. Most users complained about the occurrence
of unwanted bill charges, and reported device overheating (due to excessive CPU
usage).
Fraud attempt, airtime
consumption and misuse of personal information
These devices were scanned in a sandbox
environment, where all of their network traffic was recorded. During this
process, experts discovered that the application collects device identification
data, in addition to the users’ email addresses and geographic location.
When the device was placed in the sandbox the
app began to run in the background accesses to various web pages with digital
ads. The application interacted with those ads without the user’s permission.
The application subscribed to the user to Premium services of various web
pages, charging the costs to the users’ tariff plan.
More than two million transaction attempts were
blocked in Brazil between July and August 2018, originating in 128,845
different devices. On the other hand, in Kuwait more than 78k transaction
attempts were blocked from Alcatel devices in the same time period. Regarding
the version of the app available in Google Play, it continued to be available
on the platform until last Saturday January 5, when this malicious app was
removed by the Google team.
