TCL’s Very Own Default Weather App Dips in Ad Fraud Again

By Bill Toulas / September 24, 2019

Upstream Systems researchers warn that TCL Corporation’s default weather app is back to making purchases of premium services without asking or even notifying the user about it. The Chinese electronics company that manufactures and sells devices under its own brand-name, Alcatel, Thomson, Palm, and BlackBerry, was caught doing the exact same thing in January. Back then, the weather forecast app named “Weather Forecast – World Weather Accurate Radar” was spending about 250 MB of mobile data each day to load ads and click on them. Moreover, the malware sent user data back to Chinese servers that didn’t seem to be an infrastructure of TCL.

This is what made us believe that the problem was due to a compromise in the development kit and API used by TCL’s developers. That said, we almost ruled out the possibility of TCL infecting their default weather app with malware on purpose, but still, not testing it thoroughly and allowing it to roll out on all Alcatel devices was catastrophic for their reputation. After the story surfaced, the malware was wiped from the app. Upstream, however, claims that their Secure-D mobile security platform is detecting the same suspicious activity again, with 34 million transaction attempts coming from TCL’s Weather Forecast in the last few months.



The researchers report that they have caught a sudden peak in April, with the primary model trying to subscribe to premium digital services being the Alcatel Pixi 4, a very popular low-cost smartphone. As shown in the graph above, the same activity continued throughout the period that followed the spike, extending to the present day, but in lower volumes. This regulated activity is still more than enough to generate billions of dollars of fraudulent advertising revenue, and also to affect the performance of the already-weak Alcatel budget phones.

Could TCL be careless with what tools their developers use as well as with their review of the final package that is uploaded to the Play Store, or is this done directly by the vendor? We reckon that the most probable scenario is still the first one, but this is really damaging the TCL and Alcatel brand-name. Alcatel is now in the ownership of Nokia, but TCL’s license to use the French brand expires at the end of 2024. This means that they have another five years to completely destroy the market reputation of the Alcatel brand, leaving a worthless asset in the hands of a competitor. Let's hope that this will not be the case, and that they will publish an explanatory announcement about what's going on this time.

Do you believe that this is a case of a hacker compromising TCL’s kit, or is this coming directly from the company? Let us know what you think in the comments section down below, or on our socials, on Facebook and Twitter.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari