GO Keyboard, an insanely popular custom keyboard app for the Android OS, also available on the official Google Play Store, was caught collecting user data and downloading and running code from a third-party server.
The discovery was made by engineers at AdGuard, a provider of ad-blocking technology. AdGuard says it detected suspicious requests while analyzing the app's web traffic following its installation.
The company says it looked into GO Keyboard's behavior after
an incident with another custom keyboard, TouchPal, that started showing ads over the typing area this past July.
App collected user data, ran external code
While investigating GO Keyboard for similar intrusive ads, AdGuard says it detected the app collecting a large amount of data from the device right after installation and sending it to a remote server.
"Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.,"
said Andrey Meshkov, AdGuard co-founder.
The app also communicates with dozens of third-party trackers and ad networks, Meshkov found, and also downloads and runs a 14 MB file blob, also shortly after installation.
Both actions — collecting user data without user consent and downloading and executing code from a third-party server (bypassing the app review process) — is forbidden for apps uploaded on the Google Play Store.
