Popular Android Keyboard App with 50 million downloads is spying on you
A popular Android keyboard app called Flash Keyboard was found by a UK-based cyber-security firm, Pentest to be asking for “excessive permissions”, displaying infected ads, asking for admin privileges in order to make uninstall more difficult, tracking user behavior, and then sending data to servers in China without the user’s permission. In other words the Flash Keyboard app was spying on Android smartphone users and security experts have already classified the app “malware.” As a result, Google removed it’s one of the top 20 most popular Android apps from the Play Store.
“It is Pentest’s opinion that this application was not written by the developers to be intentionally malicious,” researchers said.
“However, through disregard for Android’s development policy and a desire to monetize a free application, have created an application that deceives users, gathers personal information and obstructs uninstallation.”
Flash Keyboard is a keyboard app for Android that supports multiple languages and describes itself as being “extremely adaptive to guarantee a fluent input in any situation.” Pentest estimates that the app has been installed on more devices than WhatsApp. With over 50 million downloads, Flash Keyboard was ranked #11 in Google’s most popular Android apps before the Pentest report.
Pentest found that the app requires unwanted access to a phone’s Bluetooth connection, geo-location feature, or Wi-Fi status which a normal keyboard app would not require. In addition, the app would ask for access to kill background processes, read SMS messages, show system overlays, or remove download notifications. Pentest says there are no reasons for a keyboard app to require these intrusive permissions.
Further, Pentest detected that Flash Keyboard was asking for device admin permissions, and was using these powers to take over the smartphone’s lock screen and show ads even if users opted out.
A more serious issue is Flash Keyboard secretly transfers data to secret servers situated in China and other foreign countries. During testing, Pentest found the app transmitted sensitive user data including the owner’s email address, device manufacturer, model number, IMEI and Android version to what it believes to be analytics servers in the US, Netherlands and China. It also sends details of the currently connected Wi-Fi network and others in the proximity, the identity of the mobile network being used and GPS coordinates that are accurate to within three meters of the user.
Pentest said it does not believe that the developer is deliberately acting maliciously. Instead, it has ignored and disregarded the Android development policies laid out by Google and heavily monetized its app, in the process deceiving users and putting them at risk of attack.
“Through disregard for Android’s development policy and a desire to monetize a free application, the developers have created an application that deceives users, gathers personal information and obstructs uninstallation,” the firm said. “In more sinister hands, this application could covertly download updates that weaponises the application, to exploit the granted privileges for mass or even targeted surveillance.”
Pentest says it attempted to contact the developer of the app, Hong Kong-based DotC United but received no response. Its Google Play Store listing for the app suggests it takes a proactive approach to security though, claiming “We DO NOT collect any personal data without your explicit permission.”
After Pentest’s report, Google removed the app. Shortly, the developer created and resubmitted to the Play Store an app called Flash Keyboard – Lite. At the time of writing, the Flash Keyboard is yet again available via Google’s Play Store.