Ai.type, an Android app that has earned over 40 million downloads as a “Free emoji keyboard” has been recently caught red-handed engaged in fraud. By unauthorizedly purchasing premium digital content on smartphones, the app made millions of transactions resulting in it commanding huge sums over the course of its scam.
Caught by Secure-D, a fraud detection platform by Upstream, the app was successful in its shady endeavors through a range of tactics including the displaying of invisible ads and spoofing identities of other apps like Soundcloud.
While the preceding damage may have been substantial, Secure-D reports that by blocking over 14 million unauthorized transactions from a mere 110,000 devices, it has saved users a cumulative value of approximately $18 million. Although these transactions were recorded in 13 countries, Egypt and Brazil saw the highest numbers.
Secure-D’s carried out their research on two devices and found subscription verification texts to premium digital services on both devices, confirming unwanted subscription sign-ups that occurred without any user intervention.
Static and behavioral analysis showed that the ai.type versions installed on each device contained SDK frameworks with obfuscated hard-coded links back to advertising trackers. These are servers used by mobile advertising networks to serve and display ads based on their inventory, and track who needs to be paid when a conversion (usually a sale or download) takes place, the company wrote in its blog post.
Moreover, despite the app being removed from the Google Play Store in June 2019, Android users did not delete the app and neither did other Android marketplaces take action which led to the app continuing to cause damage. What’s even more surprising is that the very next month, a huge spike was seen in its activity perhaps achieving the opposite effect of what Google may have ever wanted to intend.
Meanwhile, the CEO of Upstream has rightly commented stating that,
The mobile advertising fraud market is worth some $40bn annually. In any given market one in ten devices are infected with malware. Dressing up to appear as legitimate and often popular applications, undetected malware damages the industry’s reputation, leaving mobile operators and their customers to pick up the tab.
Yet, we believe that there is more than can be done, particularly by Google. For starters, they should have immediately informed users who had installed the ai.type on their smartphones with a push notification prompting them to delete the app on account of fraud. This is essentially more important when we realize that the average layman does not pursue cybersecurity blogs and would really have no idea of the current developments surrounding a particular app.
Furthermore, Secure-D’s research revealed that Ai.type Android app asks for dangerous permission such as:
Allowing the application to read the user’s contacts’ data
Allowing the application to read or write to the phone’s external storage
Allows access to the list of existing accounts on the device
Allows the application to record audio.
NOT for the first time
This, however, is NOT the first time when Ai.type app has been caught in the act. In 2017, the company was found collecting personal data of its users after its database with 31 million records was leaked online. The exposed data at that time included full name, phone number, device name, model number, screen resolution, SMS number, mobile network name, Android version, user languages enabled, IMSI number, IMEI number, country of residence, email address, links and the information associated with the social media profiles including photo and in some cases IP addresses.
Nevertheless, despite it being removed earlier this year as reported earlier, we can find the malicious app in question once again on the Play Store alongside other apps of the same company – ai.type LTD which is an Israeli based firm. This is alone a serious indicator of the lack of repercussions certain developers are facing on criminal behavior.
It is Google’s responsibility to ban any firms involved in such activities for an extended period of time along with removing their other applications in order to act as a deterrent for others.