Pre installed malware on Alcatel smartphones makes online transactions

The application made online transactions executed in the background

A team of network security experts detected a suspiciously high number of online transaction attempts from Alcatel-branded smartphones with Android operating system, so they decided to deep dig into the issue. During their investigation, experts discovered that a pre-installed application dedicated to weather forecasting extracts a large amount of user data and is responsible for such transaction attempts, as reported by experts from the International Institute of Cyber Security.  

The APK is named and was signed by TLC Corporation, a Chinese technology company, manufacturer of Alcatel and Blackberry devices. According to experts in network security, this application collects and transmits to a server in China data such as location, email address or IMEI key, as well as having a series of too invasive permissions. The application is also found in Google Play, has more than 10 million download and a score of 4/5.

If it had not been blocked, the malicious activity of this app would surely have affected Alcatel equipment users in countries such as Brazil, Malaysia or Nigeria, charging to them costs for around $1.5M USD. Experts report that transactions were performed in the background, so that users were not able to detect any anomalous behavior in the app.

These transactions were detected between July and August 2018, mainly in Malaysia and Brazil, and were mainly linked to the Alcatel Pixi 4 and A3 Max models. Similar operations were detected in South Africa, Nigeria, Egypt and Tunisia, where the APK has also been blocked.

Experts in network security responsible for the investigation managed to get some of these devices to analyze them in their lab. In one of these smartphones (an Alcatel A3 Max), over 500 transactions attempted were detected in just one month. Most users complained about the occurrence of unwanted bill charges, and reported device overheating (due to excessive CPU usage).

Fraud attempt, airtime consumption and misuse of personal information

These devices were scanned in a sandbox environment, where all of their network traffic was recorded. During this process, experts discovered that the application collects device identification data, in addition to the users’ email addresses and geographic location.

When the device was placed in the sandbox the app began to run in the background accesses to various web pages with digital ads. The application interacted with those ads without the user’s permission. The application subscribed to the user to Premium services of various web pages, charging the costs to the users’ tariff plan.

More than two million transaction attempts were blocked in Brazil between July and August 2018, originating in 128,845 different devices. On the other hand, in Kuwait more than 78k transaction attempts were blocked from Alcatel devices in the same time period. Regarding the version of the app available in Google Play, it continued to be available on the platform until last Saturday January 5, when this malicious app was removed by the Google team.