The secrecy of what people have on their mobile devices, are mostly tied to what they enter on the keyboard.
From personal messages to login credentials and others, people use keyboard to enter information to their devices. So what can happen when a 'trusted' keyboard maliciously record all of those things? Disaster happens, and in this case, it affect at least 40 million people.
According to findings disclosed by mobile tech company Upstream the app in question is a third-party keyboard app called 'Ai.type'.
This customizable keyboard app was developed by Israeli firm ai.type, Ltd. Marketed as a "Free Emoji Keyboard", it was found stealthily signing up users for millions of unauthorized purchases of premium digital content, delivers invisible ads and generates phony clicks.
The app also requires extensive permissions - including access to text messages, photos, videos, contacts, and on-device storage.
The researchers at Upstream said on their announcement:
Ai.type contains software development kits (SDKs) with links to ads, and can automatically subscribes users to premium services without their consent. These SDKs will then navigate to the ads via a series of redirections and automatically perform clicks to trigger the subscriptions.
All the processes are done in the background to avoid suspicion.
In addition, the SDKs can also obfuscate the relevant links, and to further download additional code from external sources to complicate detection.
Upstream CEO, Guy Krief, commented that:
"The mobile advertising fraud market is worth some $40 billion annually. In any given market one in ten devices is infected with malware. Dressing up to appear as legitimate and often popular applications, undetected malware damages the industry’s reputation, leaving mobile operators and their customers to pick up the tab."
In all, Upstream detected 14 million suspicious transaction requests from 110,000 unique devices that downloaded the Ai.type keyboard app.
This led to the company in blocking all those attempts. If it didn't, these transactions could have potentially costed victims a collective $18 million in unwanted charges, the researchers said.
The app's suspicious activities have been recorded across 13 countries, but the rates were particularly higher in Egypt and Brazil.
These findings show that Google Play continues to experience bad app problems. Since the app store 'should' be the safest place for users to download Android apps, the findings point to the growing challenges associated with Android's security and privacy.
But still, it's always safer to download apps from the legitimate app store.
In this case, when dealing with apps on Google Play, users should always scrutinize every permission an app requires before every installation. In addition, users should also check their bills for unwanted or unexpected charges, and be aware of any signs of increased data usage which could indicate a malicious app is consuming data in the background.