Security researchers are warning Android owners that your keyboard may be spying on you. Researchers from Adguard say that two variants of Go Keyboard are sending personal information to remote servers and executing unauthorized code on devices. Go Keyboard is developed by the Chinese GOMO Dev Team.

The two versions of the keyboard are listed in the Google Play Store as “GO Keyboard – Emoji keyboard, Swipe input, GIFs” and “GO Keyboard – Emoticon keyboard, Free Theme, GIF“. The keyboards each have between 100k and 500k downloads, and are rated at 4.5 and 4.4 stars respectively.

Adguard decided to look into traffic associated with keyboards after the Touchpal keyboard was caught displaying ads on HTC phones earlier this year. Researchers determined that the GOMO team was collecting sensitive information including the email address associated with your Google Play Store account, network type, screen size, Android version, and build number. Additionally, the apps communicate with tracking networks and execute code from a remote server. Some of the downloaded plugins are marked as adware by multiple anti-virus programs.

See also:

Collecting the email address associated with your Google Play login and executing code on your device from a source outside of the Google Play Store are both violations of the Malicious Behaviors section of the Developers Policy Center. Here are the two policies its violating with these actions:

  • Apps that steal a user’s authentication information (such as usernames or passwords) or that mimic other apps or websites to trick users into disclosing personal or authentication information.
  • Apps or SDKs that download executable code, such as dex files or native code, from a source other than Google Play.

As worrying as the GOMO team’s behavior currently is, the real danger is if it decides to track everything you type. We use keyboards on our devices to type in sensitive information like passwords, bank account numbers, social media log-ins, and phone numbers. At the whim of the developers, all of this could be tracked and sent back to a remote server.

Adguard has passed its findings onto Google and is awaiting a response. It sums up its findings with this warning.

Whatever their decision is, we find this behavior unacceptable and dangerous. Having 200+ Million users does not make an app trustworthy. Do not blindly trust mobile apps and always check their privacy policy and what permissions do they require before the installation.