The popular Android custom keyboard app Go Keyboard was found secretly collecting user data and sending it to remote servers. The app, which is available via Google Play Store and third-party app stores and has been downloaded by over 400 million users, was also found downloading "dangerous" executable code from a third-party server.
The app was developed by the Chinese GOMO Dev Team and offers users various attractive themes. Go Keyboard also has two versions in Google Play, both of which have access to users' sensitive data, including personal identity, contacts, phone call logs and microphone.
According to security experts at AdGuard, who uncovered the app's data collecting behaviour, the app communicates with dozens of third-party trackers and ad networks. The apps also download and run a 14MB file and "quite a lot of information" about users after installation.
"Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc. What's important, given the apps' extensive permissions, remote code execution introduces severe security and privacy risks," AdGuard co-founder Andrey Meshkov wrote in a blog. "At any time the server owner may decide to change the app behavior and not just steal your email address, but do literally whatever he or she wants. Remember, it's a keyboard, and every important bit of information you enter goes through it!"
AdGuard said that it has notified Google about GO Keyboard's behaviour. At the time of writing multiple versions of the Go Keyboard app is still available for download via Google Play. IBTimes UK has reached out to Google for further clarity on the issue and will update this article in the event that a response is provided.