This Android Keyboard is Sending Your Data to China

In the recent unsettling news, it seems as though a certain third-party keyboard on Android has been collecting private user data and sending the information to servers located around the globe.

Called Flash Keyboard, it was discovered by UK-based security firm Pentest to be abusing OS permissions, inserting malicious ads and tracking user behavior, then sending that data to servers in the US, Netherlands, and China. Pentest released a whitepaper [PDF] of its findings, saying:

“It is Pentest’s opinion that this application was not written by the developers to be intentionally malicious…”

flash_keyboardFlash Keyboard describes itself as being “extremely adaptive to guarantee a fluent input in any situation,” but the most disconcerting aspect of the issue revealed is that the app has been downloaded 50 million times, creating a privacy nightmare for Android users around the world.

App Permissions

  • Access the phone’s camera
  • Post system alert messages, GPS and Wi-Fi location data
  • Replace the default lock screen with one serving up ads
  • Kill certain background processes such as anti-virus tools

User data that the app sends include Device manufacturer/model, IMEI number, Wi-Fi and MAC address data, Android version and even your GPS coordinates accurate within 3 – 10 feet.

The researchers at Pentest think that the data is being used for analytical purposes, going on to say:

“In more sinister hands, this application could covertly download updates that weaponize the application; to exploit the granted privileges for mass or even targeted surveillance.”

The app has been subsequently removed from the Google Play Store, although a new keyboard by the same developer has already replaced it.