Popular Android Keyboard App Caught Collecting User Data, Running External Code

[Elixer]

I don't use GO keyboard myself...

While investigating GO Keyboard for similar intrusive ads, AdGuard says it detected the app collecting a large amount of data from the device right after installation and sending it to a remote server.

"Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.," said Andrey Meshkov, AdGuard co-founder.

The app also communicates with dozens of third-party trackers and ad networks, Meshkov found, and also downloads and runs a 14 MB file blob, also shortly after installation.

Both actions — collecting user data without user consent and downloading and executing code from a third-party server (bypassing the app review process) — is forbidden for apps uploaded on the Google Play Store.

Researchers notified Google. No action as of yet.
AdGuard says it informed Google of the app's behavior, but at the time of their investigation publication, the Google team had not answered their report.

There are two versions of the Go Keyboard [1, 2] that exhibit this behavior, Meshkov said. Both of them have an installation count between 100 and 500 million users, meaning the number of affected users ranges from 200 million to 1 billion.

GOMO Apps — the Chinese app development company behind GO Keyboard — did not respond to a request for comment from Bleeping Computer in time for this article's publication

https://www.bleepingcomputer.com/ne...t-collecting-user-data-running-external-code/

 

[Rifter]

Thank god ive stuck with swiftkey for all these years.