Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Information-Collecting Android Keyboard Tops 50 Million Installs

A third-party keyboard application for Android that had over 50 million installs was found to collect user data and send it to a remote server, Pentest Limited researchers reveal.

A third-party keyboard application for Android that had over 50 million installs was found to collect user data and send it to a remote server, Pentest Limited researchers reveal.

Dubbed “Flash Keyboard” and developed by DotC United, the application was the 11th most popular app in Google Play at the time the researchers began their analysis. Even if it engaged into nefarious activities, the program went unnoticed, yet Google removed the offending app from the storefront after being informed on the issue (although it has already re-approved it).

In a detailed report (PDF) on the app’s malicious activity, Pentest Limited’s Andrew Pannell explains that the researchers analyzed app version 1.0.27 (currently, the app iteration available in Google Play is 1.0.54). He also points out that, even if the app was breaking users’ privacy, its developers claim that users have nothing to worry about.

“The warning message that says Flash Keyboard may be able to collect all the text you type, including personal data like passwords and credit card number, is a part of the Android operating system that appears when any third party keyboard is enabled. Rest assured you can use Flash keyboard safely,” the application’s description in Google Play reads.

Right from the start, however, Flash Keyboard raises a red flag, given that it asks for a great deal of permissions that it isn’t supposed to have. It can run at startup, can read and write home settings and shortcuts, can use network and Bluetooth as it likes, can modify system settings, disable the lock screen, force-stop other applications, and read the status of phone, user ID, and more.

The application also asks for permission to retrieve running applications, grab user’s precise location, download files without notification, take pictures and videos, and draw over other apps. Moreover, Flash Keyboard uses device admin APIs that allow it to replace the standard Android lock screen with   its own custom lock screen, which is monetized by displaying custom ads.

By leveraging Wi-Fi triangulation, Cell towers, and GPS, the keyboard was able to deliver precise location, which researchers say that could deliver 1 to 3 meters accuracy. The keyboard could also make calls to kill other app processes, such as those of anti-malware programs, and can create windows on the device, a permission that isn’t clear why it asks for.

The researchers discovered that the application was communicating with servers in several countries, including the United States, the Netherlands, and China, and that it sent the following information to them: device manufacturer and model number, IMEI, Android version, user email address, Wi-Fi SSID, Wi-Fi MAC, mobile network, GPS co-ordinates, information about nearby Bluetooth devices, and details of any proxies used by the device.

Advertisement. Scroll to continue reading.

“It is worth noting that the Wi-Fi SSID and MAC included all nearby Wi-Fi access point not just the access point that device was connected to. Evidently the application sends personal information such as email address and location to this Chinese analytical server without the knowledge of the user,” the researcher notes. However, Pannell also explains that the app engages into deceptive behavior, although Google clearly prohibits it.

Even so, the researcher says, it is possible that Flash Keyboard wasn’t designed for malicious purposes right from the start, but that they decided to monetize a free app, so they modified it to deceive users, gather personal information, and obstruct uninstallation. The app could be used to exploit the granted privileges for mass or targeted surveillance, the researcher says.

What’s certain is that Flash Keyboard is only one example of malicious apps in Google Play. Last year, a game called BrainTest supposedly infected over 1 million devices, and it returned to the storefront in January this year. Earlier this month, the Godless Trojan was found in Google Play and other popular app stores.

Related: Android Trojans Exploit Marshmallow’s Permission Model

Related: Android Malware Gang Makes $10,000 a Day: Report

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

Compliance

The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Data Protection

While quantum-based attacks are still in the future, organizations must think about how to defend data in transit when encryption no longer works.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...