Customer Spotlight – Rubica SOC Discovers Malware in Sneaky Weather App

Here’s part of why I love working at Rubica: I never know what I’ll find when I walk in the door each day. Malware and threats to online data, identity, and privacy are ever-changing, so I get a chance to help our customers navigate complex problems.  Last week while I was enjoying my morning coffee, one of our analysts interrupted my second breakfast with news that our Security Operations Center (SOC) had just discovered a threat simultaneously running on 12 of our users’ devices. It’s rare to find the same active threat on multiple users’ devices…let alone at the same time.

As it turned out, the discovered threat was related to a rogue weather alerting service called My Accurate Forecast. My Accurate Forecast is a free service that does just what it says—it emails your daily local weather alerts. But here’s the trickery: My Accurate Forecast App disguised what the user was actually downloading.

Our cybersecurity analysts found signs of a ‘hidden’ inbox installed on multiple devices. Specifically, we detected these devices making requests to .imap.email.minbox[.]email, where the hidden inbox was causing several different customers to receive spam and unsolicited advertisements.  Spear phishing mail alone creates a targeted attack surface for the user, merely by exposing them to more personalized emails with phishing links or redirects to malicious websites that they would otherwise not receive.

Rubica’s analysts quickly figured out how to remove the configuration profile by testing the service themselves in our secure sandbox environment. After duplicating the threat, our SOC figured out how to remove it. Then they contacted my department, and I and my support specialists quickly notified the affected customers and gave them instructions on how to remove the fake profile.

We enjoy hearing exact words from our customers.  This one was my favorite:

“I deleted the problem and hopefully that will solve this issue…how creepy, I have no idea where it came from…ugh…again, thank you.”

How the My Accurate Forecast app is a cybersecurity threat

My Accurate Forecast’s website is deceptive at the outset. It appears like an innocent download of a weather app—moreover, it even shows pictures of an app-like experience on the homepage while mentioning an easy-to-use interface.

What really happens is that when you sign up for the email service, it leads you to give My Accurate Forecast permission to install a sneaky configuration profile (unknowingly to the user).

Here’s what it looks like:

Rubica-discovering-Forecast-app-malware

This configuration profile allowed My Accurate Forecast to install its own inbox in your email app, and this is the inbox to which they send their weather alerts. This inbox is hidden from the customer as they would have to drill down in their inbox settings to realize there is another separate inbox from theirs that is receiving emails. It stings that from the app user’s perspective, they just continue to receive the weather emails to their main inbox.

An app should not control your device or privacy

An App should not:

1) Install a separate inbox on your device to send you emails

2) Take advantage of the fact they now have their own controlled inbox on your device and send you spam and advertisements from third-party advertising partners.

It’s sneaky that the hidden inbox allows the attackers to control which emails you receive, with the likelihood that the user will never discover how to get rid of their new flood of spam emails. Unfortunately, My Accurate Forecast makes their money betting on customer ignorance. Many (if not most) would not know to check their email configuration profiles, then simply remove an email inbox. These spam and advertising emails create an increased attack surface for the user by merely exposing them to more effectively targeted emails with things like phishing links or redirects to malicious websites that they would otherwise not receive.

How Rubica cares about your right to privacy and security

More than anything, we want you to know about apps like the Accurate Forecast App and how easily they make their way onto your devices. Thanks to our SOC’s proactive threat hunting, we were able to detect this malicious traffic and help our customers protect their digital privacy. We build protections against new threats like this into our ISO-certified security stack, which means a smarter VPN that’s more aware.

Rubica’s mission is to protect your right to security, no matter who you are, what you do, or where you go. We are not just an app; we want to protect your entire digital presence.

Stay safe out there.