Security researchers warn that GO Keyboard is spying on millions of Android users
Security researchers from Adguard have issued a warning that the popular GO Keyboard app is spying on users. Produced by Chinese developers GOMO Dev Team, GO Keyboard was found to be transmitting personal information about users back to remote servers, as well as "using a prohibited technique to download dangerous executable code."
Adguard made the discovery while conducting research into the traffic consumption and unwanted behavior of various Android keyboards. The AdGuard for Android app makes it possible to see exactly what traffic an app is generating, and it showed that GO Keyboard was making worrying connections, making use of trackers, and sharing personal information.
Adguard notes that there are two versions of the keyboard in Google Play which it claims have more than 200 million users in total. GO Keyboard - Emoji keyboard, Swipe input, GIFs has a user rating of 4.5 stars; the very similarly-named GO Keyboard - Emoticon keyboard, Free Theme, GIF has a rating of 4.4 stars. Both versions of the app are still being updated.
Within the app description, the developers say:
PRIVACY and security
We will never collect your personal info including credit card information. In fact, we cares for privacy of what you type and who you type! [sic]
But Adguard points out that this is contradicted by the company's privacy policy. In addition to this, GO Keyboard shares personal information right after installation, communicates with dozens of tracking servers, and has access to sensitive data on phone. Adguard concedes that this is fairly typical for modern apps, but goes on to say that the app violates Google Play policies.
In the Malicious Behavior section of the Developer Policy Center, Google says that "apps that steal a user’s authentication information (such as usernames or passwords) or that mimic other apps or websites to trick users into disclosing personal or authentication information" are not permitted.
This is activity, Adguard says, that GO Android engages in:
Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.
Google's policies also ban the practice of downloading "executable code, such as dex files or native code, from a source other than Google Play." Again, Adguard found that this is exactly what GO Keyboard is doing -- downloading and executing code from a remote server. Adguard notes that:
Some of the downloaded plugins are marked as Adware or PUP by multiple AV engines.
Adguard has reported its findings to Google, and says that the permissions used by the app are extra cause for concern:
What's important, given the apps' extensive permissions, remote code execution introduces severe security and privacy risks. At any time the server owner may decide to change the app behavior and not just steal your email address, but do literally whatever he or she wants. Remember, it's a keyboard, and every important bit of information you enter goes through it!
We informed Google of these violations and are waiting for their reaction. Whatever their decision is, we find this behavior unacceptable and dangerous. Having 200+ Million users does not make an app trustworthy. Do not blindly trust mobile apps and always check their privacy policy and what permissions do they require before the installation.
Image credit: roncivil / depositphotos