Android Keyboard App with over 50 million installs secretly collects your data

Android logoGoogle removed one of its Top 20 most popular Android apps from the Play Store after an investigation from Pentest, a UK-based cyber-security firm who discovered that the application violated the Mountain View-based giant's policies by showing a deceptive behavior.

Pentest's engineers found that the app requested more permissions than its native behavior needed, asked for admin privileges in order to make uninstallation more difficult, hijacked the user's screen to show ads, and collected and transferred user information to a third-party without the user's permission.

Android Keyboard App with over 50 million installs secretly collects your data

The app's name is Flash Keyboard, and before the Pentest report, it was ranked #11 in Google's most popular Android apps, with over 50 million downloads. As its name hints, the app is a replacement for Android's stock keyboard, developed by DotC United.

Pentest found it exaggerated that the app would require access to a phone's Bluetooth connection, geo-location feature, or WiFi status.

Additionally, the app would ask for access to kill background processes, read SMS messages, show system overlays, or remove download notifications. Pentest says there are no reasons for a keyboard app to require these intrusive permissions.

Further, Pentest detected that Flash keyboard was asking for device admin permissions and was using these powers to take over the phone's lock screen and show ads.

Pentest also analyzed a stream of data that was originating from the app and says Flash Keyboard was collecting information about the user and was sending it to remote servers in the US, the Netherlands, and China.

Some of the data the app was collecting and sending to these services included details such as device manufacturer, device model number, Android version, email address, SSID, MAC, IMEI, mobile network, GPS coordinates, information on nearby Bluetooth devices, and the presence of any proxies.

Pentest believes that the app breaches Google's deceptive behavior policy for the following reasons:

  • “ Mimics operating system functionality by replacing the built-in lock screen with its own. ”
  • “ Does not disclose that it replaces the lock screen to display advertisements. ”
  • “ Allows application updates and intentionally hides operating system notifications that would alert the user to the update. ”
  • “ Sends personal information to a 3rd party site without the user’s knowledge. ”
  • “ Makes it difficult for the average user to uninstall. ”

After Pentest's report, Google removed the app. Soon after, the developer created and submitted to the Play Store an app called Flash Keyboard - Lite. At the time of writing, the Flash Keyboard is yet again available via Google's Play Store.

Source: Softpedia

Tags: Android, OSes, security

Comments
Add comment

Your name:
Sign in with:
or
Your comment:


Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party


Last news

 
Consumer group recommends iPhone 8 over anniversary model
 
LTE connections wherever you go and instant waking should come to regular PCs, too
 
That fiction is slowly becoming a reality
 
The Snapdragon 845 octa-core SoC includes the Snapdragon X20 LTE modem
 
Human moderators can help make YouTube a safer place for everyone
 
Google says Progressive Web Apps are the future of app-like webpages
 
All 2018 models to sport the 'notch'
 
The biggest exchange in South Korea, where the BTC/KRW pair is at $14,700 now
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 /
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /
 
 

News Archive

 
 
SuMoTuWeThFrSa
     12
3456789
10111213141516
17181920212223
24252627282930
31      




Poll

Do you use microSD card with your phone?
or leave your own version in comments (4)