Go spy, GO! A popular app with 200M+ users crosses the red line.
Android smartphone users, online life is forever on the edge as all another day there is a new way by which cybercriminals plan to keep a tab on their devices and attack privacy. It is the rule of the thumb that an Android user must never trust the means for collecting private data as even the common harmless looking apps can perform unnoticeable surveillance. Blame it on the way app developers and OEMs design their products and services.
Still, thankfully we are honored with security experts and researchers working day-in-and-day-out to alert us about the secret functions and capabilities of certain apps beforehand so that we bypass downloading them.
AdGuard assurance researchers have identified that Go Keyboard, an app generated by Chinese GOMO developer team, cannot be trusted because it handles spying and since, Android smartphone owners must not download or install this app.
According, to researchers there are two variants of Go Keyboard possible on Google namely “GO Keyboard – Emoji keyboard, a Swipe input, GIFs” and “GO Keyboard – Emoticon keyboard, Free Theme, GIF.“ Both versions send out private data to remote servers and execute unauthorized code on the android device. Each of the versions has about 100k to 500k downloads so far, and on Play Store these apps are rated at 4.5 and 4.4 stars.
Researchers from Ad-Guard became alerted about suspicious spying acts of keyboard apps after Touchpal keyboard app was identified to display ads on HTC devices earlier in 2017. It was suspected that GOMO developer team was trying to collect private and confidential data such as the email address used to connect with Google Play Store, Android version, screen size, network type and phone’s make/model number.
Moreover, the keyboard apps were communicating with tracking networks as well as executing code like dex files or native coding through a remote server. This is a violation of the Developers’ Policy Center’s Malicious Behaviours section. The app also contradicts the information provided by developers in the app’s description. It reads:
“We will never collect your info including credit card information. In fact, we care for privacy of what you type and who you type!”
The app does the exact opposite of what it promises or claims. It starts giving personal data right after its installation on the device and communicates with dozens of tracking servers apart from collecting sensitive, confidential information.
It's worth noting that some downloaded plugins of these apps have been declared as adware by prominent anti-virus software programs. The dangers are pretty obvious; if the keyboard apps can register and send out everything that we type like passwords, message texts, social media login IDs, phone number and bank account numbers, etc., then this information can be exploited in a variety of ways one of which is selling them to third parties.
Some of the permissions we noticed are: “retrieve running apps, read sensitive log data, find accounts on the device, read your contacts, read call log, record audio, display unauthorized windows, read terms you added to the dictionary and add words to user-defined dictionary etc.”
“We find this behavior unacceptable and dangerous. Having 200+ Million users does not make an app trustworthy. Do not blindly trust mobile apps and always check their privacy policy and what permissions do they require before the installation,” stated AdGuard researchers.
AdGuard has notified Google regarding its findings, and the company is yet to release an official statement about the issue. However, three days ago, in their comment section, AdGuard’s Andrey Meshkov wrote that Google never replied to their report.
 |
| AdGuard’s comment section |
Post A Comment:
0 comments: