Jump to content

Security researchers warn that GO Keyboard is spying on millions of Android users


fr3d3r1ck

Recommended Posts

Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as "using a prohibited technique to download dangerous executable code."

 

Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information.

 

Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total. GO Keyboard - Emoji keyboard, Swipe input, GIFs has a user rating of 4.5 stars; the very similarly-named GO Keyboard - Emoticon keyboard, Free Theme, GIF has a rating of 4.4 stars. Both versions of the app are still being updated.

 

Within the app description, the developers say:

 

Quote

PRIVACY and security
We will never collect your personal info including credit card information. In fact, we cares for privacy of what you type and who you type! [sic]

 

But Adguard points out that this is contradicted by the company's privacy policy. In addition to this, GO Keyboard shares personal information right after installation, communicates with dozens of tracking servers, and has access to sensitive data on phone. Adguard concedes that this is fairly typical for modern apps, but goes on to say that the app violates Google Play policies.

 

In the Malicious Behavior section of the Developer Policy Center, Google says that "apps that steal a user’s authentication information (such as usernames or passwords) or that mimic other apps or websites to trick users into disclosing personal or authentication information" are not permitted.

 

This is activity, Adguard says, that GO Android engages in:

 

Quote

Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.

 

Google's policies also ban the practice of downloading "executable code, such as dex files or native code, from a source other than Google Play." Again, Adguard found that this is exactly what GO Keyboard is doing -- downloading and executing code from a remote server. Adguard notes that:

 

Quote

Some of the downloaded plugins are marked as Adware or PUP by multiple AV engines.

 

Adguard has reported its findings to Google, and says that the permissions used by the app are extra cause for concern:

 

Quote

What's important, given the apps' extensive permissions, remote code execution introduces severe security and privacy risks. At any time the server owner may decide to change the app behavior and not just steal your email address, but do literally whatever he or she wants. Remember, it's a keyboard, and every important bit of information you enter goes through it!

 

We informed Google of these violations and are waiting for their reaction. Whatever their decision is, we find this behavior unacceptable and dangerous. Having 200+ Million users does not make an app trustworthy. Do not blindly trust mobile apps and always check their privacy policy and what permissions do they require before the installation.

 

Source

Link to comment
Share on other sites


  • Views 741
  • Created
  • Last Reply

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...