Google removed one of its Top 20 most popular Android apps from the Play Store after an investigation from Pentest, a UK-based cyber-security firm who discovered that the app violated Google’s policies by showing a deceptive behavior.
Pentest’s engineers found that the app requested more permissions than its native behavior needed, asked for admin privileges in order to make uninstallation more difficult, hijacked the user’s screen to show ads, and collected and transferred user information to a third-party without the user’s permission.
App had more than 50 million downloads
The app’s name is Flash Keyboard, and before the, it was ranked #11 in Google’s most popular Android apps, with over 50 million downloads. As its name hints, the app is a replacement for Android’s stock keyboard, developed by DotC United.
Pentest found it exaggerated that the app would require access to a phone’s Bluetooth connection, geo-location feature, or WiFi status.
Additionally, the app would ask for access to kill background processes, read SMS messages, show system overlays, or remove download notifications. Pentest says there are no reasons for a keyboard app to require these intrusive permissions.
Further, Pentest detected that Flash keyboard was asking for device admin permissions, and was using these powers to take over the phone’s lock screen and show ads.
Collecting user data without prior notice
Pentest also analyzed a stream of data that was originating from the app and says Flash Keyboard was collecting information about the user and was sending it remote servers in the US, the Netherlands, and China.
Some of the data the app was collecting and sending to these services included details such as device manufacturer, device model number, Android version, email address, SSID, MAC, IMEI, mobile network, GPS coordinates, information on nearby Bluetooth devices, and the presence of any proxies.
Pentest believes that the app breaches Google’s deceptive behavior policy for the following reasons:
“ Mimics operating system functionality by replacing the built-in lock screen with its own. ”
“ Does not disclose that it replaces the lock screen to display advertisements. ”
“ Allows application updates and intentionally hides operating system notifications that would alert the user to the update. ”
“ Sends personal information to a 3rd party site without the user’s knowledge. ”
“ Makes it difficult for the average user to uninstall. ”
After Pentest’s report, Google removed the app. Soon after, the developer created and submitted to the Play Store an app called Flash Keyboard – Lite. At the time of writing, the Flash Keyboard is yet again available via Google’s Play Store.