An Android third-party keyboard application can collect user data and send it to a remote server, researchers said.
Dubbed “Flash Keyboard” and developed by DotC United, the application was the 11th most popular app in Google Play at the time the researchers began their analysis, said experts at Pentest Limited. It had over 50 million installs.
Even if it engaged in nefarious activities, the program went unnoticed, yet Google removed the app from the storefront after being informed on the issue (although it has already re-approved it).
In a report on the app’s malicious activity, Pentest Limited’s Andrew Pannell said researchers analyzed app version 1.0.27 (currently, the app iteration available in Google Play is 1.0.54). He also said that, even if the app was breaking users’ privacy, its developers said users have nothing to worry about.
“The warning message that says Flash Keyboard may be able to collect all the text you type, including personal data like passwords and credit card number, is a part of the Android operating system that appears when any third party keyboard is enabled. Rest assured you can use Flash keyboard safely,” the application’s description in Google Play said.
Flash Keyboard can run at startup, can read and write home settings and shortcuts, can use network and Bluetooth as it likes, can modify system settings, disable the lock screen, force-stop other applications, and read the status of phone, user ID, and more.
The application also asks for permission to retrieve running applications, grab user’s precise location, download files without notification, take pictures and videos, and draw over other apps. It also uses device admin APIs that allow it to replace the standard Android lock screen with its own custom lock screen, which displays custom ads.
By leveraging Wi-Fi triangulation, Cell towers, and GPS, the keyboard was able to deliver precise location, which researchers said could deliver 1 to 3 meters accuracy. The keyboard could also make calls to kill other app processes, such as those of anti-malware programs, and can create windows on the device.
The researchers discovered the application was communicating with servers in several countries, including the United States, the Netherlands, and China, and that it sent the following information to them: Device manufacturer and model number, IMEI, Android version, user email address, Wi-Fi SSID, Wi-Fi MAC, mobile network, GPS co-ordinates, information about nearby Bluetooth devices, and details of any proxies used by the device.
“It is worth noting that the Wi-Fi SSID and MAC included all nearby Wi-Fi access point not just the access point that device was connected to. Evidently the application sends personal information such as email address and location to this Chinese analytical server without the knowledge of the user,” the researcher said.