GO Keyboard, an insanely popular custom keyboard app for the Android OS, also available on the official Google Play Store, was caught collecting user data and downloading and running code from a third-party server.
The discovery was made by engineers at AdGuard, a provider of ad-blocking technology. AdGuard says it detected suspicious requests while analyzing the app's web traffic following its installation.
The company says it looked into GO Keyboard's behavior after an incident with another custom keyboard, TouchPal, that started showing ads over the typing area this past July.
While investigating GO Keyboard for similar intrusive ads, AdGuard says it detected the app collecting a large amount of data from the device right after installation and sending it to a remote server.
"Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.," said Andrey Meshkov, AdGuard co-founder.
The app also communicates with dozens of third-party trackers and ad networks, Meshkov found, and also downloads and runs a 14 MB file blob, also shortly after installation.
Both actions — collecting user data without user consent and downloading and executing code from a third-party server (bypassing the app review process) — is forbidden for apps uploaded on the Google Play Store.
AdGuard says it informed Google of the app's behavior, but at the time of their investigation publication, the Google team had not answered their report.
There are two versions of the Go Keyboard [1, 2] that exhibit this behavior, Meshkov said. Both of them have an installation count between 100 and 500 million users, meaning the number of affected users ranges from 200 million to 1 billion.
GOMO Apps — the Chinese app development company behind GO Keyboard — did not respond to a request for comment from Bleeping Computer in time for this article's publication.