Researchers from Ad-Guard became alerted about suspicious spying acts of keyboard apps after Touchpal keyboard app was identified to display ads on HTC devices earlier in 2017. It was suspected that GOMO developer team was trying to collect private and confidential data such as the email address used to connect with Google Play Store, Android version, screen size, network type and phone’s make/model number.
Moreover, the keyboard apps were communicating with tracking networks as well as executing code like dex files or native coding through a remote server. This is a violation of the Developers’ Policy Center’s Malicious Behaviours section. The app also contradicts the information provided by developers in the app’s description. It reads:
“We will never collect your info including credit card information. In fact, we care for privacy of what you type and who you type!”
The app does the exact opposite of what it promises or claims. It starts giving personal data right after its installation on the device and communicates with dozens of tracking servers apart from collecting sensitive, confidential information.
It’s worth noting that some downloaded plugins of these apps have been declared as adware by prominent anti-virus software programs. The dangers are pretty obvious; if the keyboard apps can register and send out everything that we type like passwords, message texts, social media login IDs, phone number and bank account numbers, etc., then this information can be exploited in a variety of ways one of which is selling them to third parties.
Some of the permissions we noticed are: “retrieve running apps, read sensitive log data, find accounts on the device, read your contacts, read call log, record audio, display unauthorized windows, read terms you added to the dictionary and add words to user-defined dictionary etc.”
AdGuard has notified Google regarding its findings, and the company is yet to release an official statement about the issue. However, three days ago, in their comment section, AdGuard’s Andrey Meshkov wrote that Google never replied to their report.
|AdGuard’s comment section