One of the very popular alternative virtual keyboards for Android device spies the users on different levels. But not only that - it also opens a backdoor to the devices on which it was installed.
It is about the GO keyboard developed by GOMO Dev Team, which is offered in the Play Store in two variations. According to the download figures, which cover a fairly large margin, the software has been installed by at least 200 million Android users worldwide - but the exact number is a lot higher. Given the mostly positive ratings, the downloaded apps are actually in use with many users.
Now the security researchers from AdGuard have looked at the software of the Chinese provider GOMO Dev Team more closely. And it turned out that the app contrary to the data in the usage regulations very probably transfer personal data of the user to an external server. It communicates with dozens of third-party trackers and ad networks.
It has access to sensitive data including your identity, phone calls log, contacts, microphone. Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.
The keyboard app still has something that is described by the developers as a plugin interface. This allows additional features to be loaded, which means any executable codes can be loaded onto the device of the user after passing the Play Store controls. This is actually prohibited according to the Google Play content policies.
AdGuard has stated the conclusions from the analysis of the apps offered as "GO Keyboard - Emoji keyboard, Swipe input, GIFs" and "GO Keyboard - Emoticon keyboard, Free Theme, GIF" to Google. Currently, they are both still in the Play store to download. AdGuard informed Google of these violations and are waiting for their reaction.