A third-party keyboard application for Android that had over 50 million installs was found to collect user data and send it to a remote server, Pentest Limited researchers reveal.
Dubbed “Flash Keyboard” and developed by DotC United, the application was the 11th most popular app in Google Play at the time the researchers began their analysis. Even if it engaged into nefarious activities, the program went unnoticed, yet Google removed the offending app from the storefront after being informed on the issue (although it has already re-approved it).
In a detailed report (PDF) on the app’s malicious activity, Pentest Limited’s Andrew Pannell explains that the researchers analyzed app version 1.0.27 (currently, the app iteration available in Google Play is 1.0.54). He also points out that, even if the app was breaking users’ privacy, its developers claim that users have nothing to worry about.
“The warning message that says Flash Keyboard may be able to collect all the text you type, including personal data like passwords and credit card number, is a part of the Android operating system that appears when any third party keyboard is enabled. Rest assured you can use Flash keyboard safely,” the application’s description in Google Play reads.
Right from the start, however, Flash Keyboard raises a red flag, given that it asks for a great deal of permissions that it isn’t supposed to have. It can run at startup, can read and write home settings and shortcuts, can use network and Bluetooth as it likes, can modify system settings, disable the lock screen, force-stop other applications, and read the status of phone, user ID, and more.
The application also asks for permission to retrieve running applications, grab user’s precise location, download files without notification, take pictures and videos, and draw over other apps. Moreover, Flash Keyboard uses device admin APIs that allow it to replace the standard Android lock screen with its own custom lock screen, which is monetized by displaying custom ads.
By leveraging Wi-Fi triangulation, Cell towers, and GPS, the keyboard was able to deliver precise location, which researchers say that could deliver 1 to 3 meters accuracy. The keyboard could also make calls to kill other app processes, such as those of anti-malware programs, and can create windows on the device, a permission that isn’t clear why it asks for.
The researchers discovered that the application was communicating with servers in several countries, including the United States, the Netherlands, and China, and that it sent the following information to them: device manufacturer and model number, IMEI, Android version, user email address, Wi-Fi SSID, Wi-Fi MAC, mobile network, GPS co-ordinates, information about nearby Bluetooth devices, and details of any proxies used by the device.
“It is worth noting that the Wi-Fi SSID and MAC included all nearby Wi-Fi access point not just the access point that device was connected to. Evidently the application sends personal information such as email address and location to this Chinese analytical server without the knowledge of the user,” the researcher notes. However, Pannell also explains that the app engages into deceptive behavior, although Google clearly prohibits it.
Even so, the researcher says, it is possible that Flash Keyboard wasn’t designed for malicious purposes right from the start, but that they decided to monetize a free app, so they modified it to deceive users, gather personal information, and obstruct uninstallation. The app could be used to exploit the granted privileges for mass or targeted surveillance, the researcher says.
What’s certain is that Flash Keyboard is only one example of malicious apps in Google Play. Last year, a game called BrainTest supposedly infected over 1 million devices, and it returned to the storefront in January this year. Earlier this month, the Godless Trojan was found in Google Play and other popular app stores.
Related: Android Trojans Exploit Marshmallow’s Permission Model