This Android App is collecting user-data, running external scripts without user consent

| October 10, 2017 | 0 Comments


Your keyboard app is an input tool, you use every day! Right from typing a simple text message to typing passwords. You would never want your keyboard app to record everything that you type or fetch sensitive information about your device and store it on their private servers.

GO Keyboard App is doing just that.

GOMO Apps — the Chinese app development company behind “GO Keyboard”, the popular Android keyboard app with over 2.5 million users should realize, With great user base comes great responsibility. For them, Its “with great user base comes great Earning opportunity”.

Adguard – a company that specializes in Ad blocking tech, recently found out that the “GO Keyboard” app has been collecting a large amount of data from the user’s device right after installation and sending it to their remote server.

The data contained Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.

All this without users explicit consent.

Unfortunately, everything listed above is normal nowadays. Research conducted by Theconversation showed that 7 in 10 mobile apps share your data with third-party services.

However, “GO Keyboard” crosses the red line here.

The app downloads and runs a 14 MB file blob, shortly after the installation and executes external scripts that include dozens of third-party trackers and ad networks.

Apps or SDKs that download executable code, such as dex files or native code, from a source other than Google Play are malicious in nature.

collecting user-data and running external code in android

Your privacy & security at stake

The Google Playstore’s policy clearly states that it is unlawful to collect user data without user’s consent and Apps listed on Playstore are prohibited from downloading and executing code from a third-party server.

The “GO Keyboard”, clearly fails to follow these policies and there is no reason to be even skeptical about it.

This kind of breach is far more serious than what it might actually look like. The ability to download and run external code (remote code execution) inside an app is very lethal.

At any time the remote server owner, i.e the server from which the “GO Keyboard” is downloading executable files, may decide to change the code present in those files so as to manipulate app behavior and not just steal your email address. This literally means, Server owner can do whatever he/she wants to with your device, taking full control of it.

Final Word

Uninstall this app immediately if you are using it right now. Also, avoid using third-party keyboard apps and stick to default one. Why? because it’s a keyboard, and every important bit of information you enter goes through it!

Lastly, Do not blindly trust apps even if they are listed on Playstore and always check what permissions do they require before the installation.

Source: Adguard blog



Source link

Category: News

About the Author ()