As data breaches and privacy concerns become a frighteningly common feature of our digital world, it’s increasingly important that we think critically about the kinds of apps with which we share our information. A new report from the Wall Street Journal finds that a popular weather app has been asking users for an “unusual amount of data” and allegedly subscribing some users to paid services without their consent.
The behavior by the Weather Forecast - World Weather Accurate Radar app, available on Android, was first identified by U.K.-based security firm Upstream Systems, the Journal reported on Wednesday. The app from Chinese consumer electronics manufacturer TCL Communication Technology Holdings Ltd. reportedly collects data that includes International Mobile Equipment Identity (IMEI) numbers, location, and email addresses on its servers. The Journal also alleged the app fraudulently signed users up for “virtual-reality services”:
The weather app also has attempted to surreptitiously subscribe more than 100,000 users of its low-cost Alcatel smartphones in countries such as Brazil, Malaysia and Nigeria to paid virtual-reality services, according to Upstream Systems. The security firm, which discovered the activity as part of its work for mobile operators, said users would have been billed more than $1.5 million had it not blocked the attempts.
After The Wall Street Journal made inquiries about the app’s activities in November, TCL updated the app in Google’s Play store. The app then stopped trying to subscribe users to services, according to Upstream, though the data collection continues.
As the Journal notes, it is not unusual for weather apps to ask users for their location information, but it is unusual for an app to ask for information like IMEI numbers. While technically an IMEI number can be used to track someone, ultimately they’re viewed as useless for malicious purposes in the long term; the numbers can be linked to multiple people over a device’s lifetime and consumers are upgrading and replacing devices more rapidly than they used to.
It’s unclear why the company collects such information. In-app buttons ostensibly intended to prevent such data collection do not actually do that, the Journal said. The company wouldn’t comment on its data collection practices to the paper. Google did not immediately return a request for comment.
Another popular weather app, AccuWeather, came under fire last year after security researcher Will Strafach claimed that its iOS app partner Reveal Mobile tracked users even when they said they no longer wished to share their location information. Reveal Mobile and AccuWeather later released a joint statement claiming the data collection resulted from a misconfiguration of the former’s SDK.
Even the most innocuous apps carry significant privacy risks—such as PopSugar’s viral Twinning app, which was later found to be leaking users’ selfies. What’s frustrating about the way that apps like these collect user data is that users are seldom aware of what they’re sharing until news breaks of potential data exposure, breaches, or leaks. And as the Journal noted, this can be particularly insidious in emerging markets, where cheap smartphones that come equipped with pre-loaded apps can put user data at risk.
It’s always good to exercise a healthy amount of caution about what data you’re sharing with apps—even the ones that seem harmless.