For Android smartphone users, online life is always on the edge as every other day there is a new way with which cybercriminals plan to keep a tab on their devices and invade privacy. It is the rule of the thumb that an Android user must never trust the device for storing confidential data as even the most harmless looking apps can perform unnoticeable surveillance. Blame it on the way app developers and OEMs design their products and services.
However, thankfully we are blessed with security experts and researchers working day-in-and-day-out to alert us about the secret functions and capabilities of certain apps beforehand so that we avoid downloading them.
AdGuard security researchers have identified that Go Keyboard, an app developed by Chinese GOMO developer team, cannot be trusted because it conducts spying and therefore, Android smartphone owners must not download or install this app.
According to researchers, there are two variants of Go Keyboard available on Google namely “GO Keyboard – Emoji keyboard, Swipe input, GIFs” and “GO Keyboard – Emoticon keyboard, Free Theme, GIF.“ Both versions send out private data to remote servers and execute unauthorized code on the android device. Each of the versions has about 100k to 500k downloads so far, and on Play Store these apps are rated at 4.5 and 4.4 stars.
Researchers from AdGuard became alerted about suspicious spying acts of keyboard apps after Touchpal keyboard app was identified to display ads on HTC devices earlier in 2017. It was suspected that GOMO developer team was trying to collect private and confidential data such as the email address used to connect with Google Play Store, Android version, screen size, network type and phone’s make/model number.
Moreover, the keyboard apps were communicating with tracking networks as well as executing code like dex files or native coding through a remote server. This is a violation of the Developers’ Policy Center’s Malicious Behaviours section. The app also contradicts the information provided by developers in the app’s description. It reads:
“We will never collect your info including credit card information. In fact, we care for privacy of what you type and who you type!”
The app does the exact opposite of what it promises or claims. It starts sharing personal data right after its installation on the device and communicates with dozens of tracking servers apart from collecting sensitive, confidential information.
It is worth noting that some downloaded plugins of these apps have been declared as adware by prominent anti-virus software programs. The dangers are pretty obvious; if the keyboard apps can register and send out everything that we type like passwords, message texts, social media login IDs, phone number and bank account numbers, etc., then this information can be exploited in a variety of ways one of which is selling them to third parties.
Some of the permissions we noticed are: “retrieve running apps, read sensitive log data, find accounts on the device, read your contacts, read call log, record audio, display unauthorized windows, read terms you added to the dictionary and add words to user-defined dictionary etc.”
“We find this behavior unacceptable and dangerous. Having 200+ Million users does not make an app trustworthy. Do not blindly trust mobile apps and always check their privacy policy and what permissions do they require before the installation,” stated AdGuard researchers.
AdGuard has informed Google regarding its findings, and the company is yet to release an official statement about the issue. However, three days ago, in their comment section, AdGuard’s Andrey Meshkov wrote that Google never replied to their report.
