Android Keyboard App Could Swindle 40M Users Out of Millions

[silversurfer]

Content source

https://threatpost.com/android-keyboard-app-swindle-40m/149731/

Researchers are warning users to delete a popular Android keyboard app that, once downloaded, makes unauthorized purchases of premium digital content. Google told Threatpost it has removed the app from its Google Play marketplace – but researchers say it was downloaded on at least 40 million phones worldwide and thus remains a threat.

The app, Ai.type, allows users to personalize their keyboard with various fonts and emojis and was developed by Israeli firm Ai.type Ltd., according to researchers with mobile tech company Upstream. Ai.type Ltd. did not respond to a request for comment from Threatpost.

Once downloaded, researchers said the app makes “suspicious” requests to trigger the purchase of premium digital services in the background – so users are unaware of the activity. Upstream detected 14 million such transaction requests from 110,000 unique devices that downloaded the Ai.type keyboard. If these transactions had not been detected and blocked, the app could have cost victims as much as $18 million, researchers said.

“The app has been delivering millions of invisible ads and fake clicks, while delivering genuine user data about real views, clicks and purchases to ad networks,” said Upstream researchers on Thursday. “Ai.type carries out some of its activity hiding under other identities, including disguising itself to spoof popular apps such as Soundcloud. The app’s tricks have also included a spike in suspicious activity once removed from the Google Play store.”

 

[upnorth]

subscribes users to premium services, which depletes mobile data and adds charges, as well as reduces the battery life and overall performance of the device. In terms of how the victims’ payment information is used for the premium services, “These are digital services charged via direct carrier billing, i.e. using the mobile airtime of the users,” Upstream researchers told Threatpost. “No need to access any bank account number.” The one red flag that might tip users off that something is amiss is subscription verification texts; these may be sent from premium digital services to victim devices to confirm their participation. In addition to subscriptions, the app also requires a broad number of permissions from users that Upstream researchers classify as “dangerous” – including permissions to access and view text messages, photos, videos, contact data and on-device storage.

Ai.type, for its part, has had security issues in the past– in 2017, over 31 million customers’ personal data was leaked via an exposed database. And, in 2011, the app found itself in hot water for sending users’ keystrokes to developers’ servers in plain text.