In the recent unsettling news, it seems as though a certain third-party keyboard on Android has been collecting private user data and sending the information to servers located around the globe.
Called Flash Keyboard, it was discovered by UK-based security firm Pentest to be abusing OS permissions, inserting malicious ads and tracking user behavior, then sending that data to servers in the US, Netherlands, and China. Pentest released a whitepaper [PDF] of its findings, saying:
“It is Pentest’s opinion that this application was not written by the developers to be intentionally malicious…”
Flash Keyboard describes itself as being “extremely adaptive to guarantee a fluent input in any situation,” but the most disconcerting aspect of the issue revealed is that the app has been downloaded 50 million times, creating a privacy nightmare for Android users around the world.
- Access the phone’s camera
- Post system alert messages, GPS and Wi-Fi location data
- Replace the default lock screen with one serving up ads
- Kill certain background processes such as anti-virus tools
The researchers at Pentest think that the data is being used for analytical purposes, going on to say:
“In more sinister hands, this application could covertly download updates that weaponize the application; to exploit the granted privileges for mass or even targeted surveillance.”
The app has been subsequently removed from the Google Play Store, although a new keyboard by the same developer has already replaced it.