Dangerous keyboard app has more than 50 million downloads

The Flash Keyboard app has been downloaded more than 50 million times

The Flash Keyboard app has been downloaded more than 50 million times -- but is capable of some extremely dangerous behaviors.

"It looked like it was a convenient keyboard that had some nice features," said Bill Anderson, chief product officer at mobile security company OptioLabs. "The marketing copy in the app store looked great."

For a while, the app was in the top 20 downloads for the Google Play Store, he added.

"The problem was that it asked for just about every permission that an app could ask for," he said. "It was an especially long list. And surprisingly, most people said yes. But the permissions were so excessive that it turned this thing into a potentially marvelous way to hack phones."

There is no evidence that the app itself did anything malicious, he said, but it did do some things that were questionable.

"In particular, it was found to be opening up a net connection, and sending some data it was collecting from the phone to a server somewhere else," he said. "The data was the device, manufacturer, model number, the Android version, the owner's email address, all of the Wifi addresses that it could see, the cell network it was on, the GPS coordinates of where the phone was, information about any of the Bluetooth devices it could see, and information about any web proxies it could see."

Once the data is collected, it could also be used to create a very deep personal profile of users, shared with third parties, and vulnerable to state-sponsored hackers and criminals.

None of this is information that a keyboard app needs to have, he added.

"But it's certainly good information to have if you wanted to track users and send them targeted advertisements, and that was probably what was going on here," he said. "It was doing that without informing the user, which was the problem, and ultimately got it removed from the store."

However, the app popped right back up again, and now stands at over 700,000 downloads.

"It looks as though the same group of people has put it up again," Anderson said.

The developer is DotC United, based in Hong Kong.

There are also some permissions that are particularly worrying.

For example, the app asks for the ability to download new files without notifying the user.

"Normally, if an app tries to download a file, it has to pop up a notification on the user screen," he said. "This one can potentially update itself with code that was actually malicious. It is a potential vector for a Trojan horse that could turn into something else in the future."

Another dangerous permission is the install shortcut.

Bill Anderson, chief product officer at mobile security company OptioLabs

"It sounds quite innocuous," he said. "But it turns out that it lets you replace the home screen with its own home screen for login, so it could have its own code for you to open up the Android phone. They didn't do this, but it offers an opportunity to do ransomware -- I could charge you money to unlock your phone."

It's the most egregious abuse of permissions he's ever seen, Anderson said.

On the app's Facebook page, there are numerous complaints from users about the spyware and, even more complaints about the fact that the app automatically reinstalls itself after it's been deleted.

Anderson warned users to pay attention to the permissions for any new app that they download.

He added that the Google Play app store wasn't doing enough to protect users.

"There's very little review of these apps or the companies that submit them," he said. "The app store is the Wild West."

Anderson said that his company began to pay attention to this app because of a recent report by Pentest.

According to Pentest, the app violated Google policies about deceptive behavior by replacing the lock screen with one that shows ads without telling users, by hiding notifications, by making removal difficult, and by sending information to third parties without the users' knowledge.

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Maria Korolov

CSO (US)
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?