Sep 22nd, 2017

It’s pretty common these days to hear about apps that are doing clandestine things without the user knowing it. Usually, it’s small-time apps like sketchy wallpaper apps, but sometimes it can be serious and involve device manufacturers. Adguard security researchers have released a report warning that GO Keyboard on Android is spying on its users by transmitting information back to remote users. The researchers also warn that the keyboard is using a “prohibited technique” to download and execute malicious code.

The researchers say they discovered the activity after monitoring traffic consumption and unwanted behavior in several popular Android keyboards. The worrying part is that more than 200 million users could be affected as there are two different versions of the GO Keyboard available on the Google Play Store, one rated 4.4 stars and the other rated 4.5 stars.

Most users are drawn to GO Keyboard because it offers a wide variety of themed keyboard options and was an early keyboard available on Android during the early days of the ecosystem. The GO Keyboard terms of service explicitly state that the app “will never collect your personal information” but in reality, it does just that.

Data Transmitted by GO Keyboard

  • Google account email
  • Language
  • IMSI
  • Location
  • Network Type
  • Screen Size
  • Android Version & Build Number
  • Device Model

As if transmitting data back to servers in China wasn’t enough, some of the plugins you can download inside the app are capable of downloading and executing their own malicious code and have been rated as adware by most anti-virus engines. This puts all 200+ million users GO Keyboard at risk, which is why the researchers have contacted Google to let them know about their findings.

We informed Google of these violations and are waiting for their reaction. Whatever their decision is, we find this behavior unacceptable and dangerous. Having 200+ Million users does not make an app trustworthy.

If you use GO Keyboard on any of your devices or know friends and family that do, now might be a good time to steer them away from it and to safer alternatives, like Gboard, Flesky, or SwiftKey. Google hasn’t yet responded to the situation, since GO Keyboard is still available to install.

local_offer    Go Keyboard