Popular GoKeyboard App Spying on Millions of Android Users

Popular "GoKeyboard" App Spying on Millions of Android Users

For Android smartphone users, online life is always on the edge as every other day there is a new way with which cybercriminals plan to keep a tab on their devices and invade privacy. It is the rule of the thumb that an Android user must never trust the device for storing confidential data as even the most harmless looking apps can perform unnoticeable surveillance. Blame it on the way app developers and OEMs design their products and services.





AdGuard security researchers have identified that Go Keyboard, an app developed by Chinese GOMO developer team, cannot be trusted because it conducts spying and therefore, Android smartphone owners must not download or install this app.

According to researchers, there are two variants of Go Keyboard available on Google namely “GO Keyboard – Emoji keyboard, Swipe input, GIFs” and “GO Keyboard – Emoticon keyboard, Free Theme, GIF.“ Both versions send out private data to remote servers and execute unauthorized code on the android device. Each of the versions has about 100k to 500k downloads so far, and on Play Store these apps are rated at 4.5 and 4.4 stars.

Go Keyboard’s app information
Researchers from AdGuard became alerted about suspicious spying acts of keyboard apps after Touchpal keyboard app was identified to display ads on HTC devices earlier in 2017. It was suspected that GOMO developer team was trying to collect private and confidential data such as the email address used to connect with Google Play Store, Android version, screen size, network type and phone’s make/model number.

“We will never collect your info including credit card information. In fact, we care for privacy of what you type and who you type!”
The app does the exact opposite of what it promises or claims. It starts sharing personal data right after its installation on the device and communicates with dozens of tracking servers apart from collecting sensitive, confidential information.

Some of the permissions we noticed are: “retrieve running apps, read sensitive log data, find accounts on the device, read your contacts, read call log, record audio, display unauthorized windows, read terms you added to the dictionary and add words to user-defined dictionary etc.”

“We find this behavior unacceptable and dangerous. Having 200+ Million users does not make an app trustworthy. Do not blindly trust mobile apps and always check their privacy policy and what permissions do they require before the installation,” stated AdGuard researchers.



AdGuard has informed Google regarding its findings, and the company is yet to release an official statement about the issue. However, three days ago, in their comment section, AdGuard’s Andrey Meshkov wrote that Google never replied to their report.