Telemetry is very common and a lot of websites, online services and smartphone apps are known to implement such a practice. However, most of the time all of this gets disclosed and the user is fully aware (or at least has the opportunity to be) of the potential personal information collection done by the site or app. That said, it is also disturbingly common for legitimate applications to gather private data form their user’s devices without letting the customer know about what is actually happening and what sort of information is being collected. In addition, it is not uncommon for an app to also execute other processes on the device it has been installed on that haven’t been properly disclosed within the application’s license agreement.
This sort of unauthorized processes executed by applications is against the rules of the Google Store and normally any software from the Store that is detected to do that gets taken down until the issue is fixed.
GO Keyboard Android app collecting data and executing third-party code
Recently, a company focused on developing ad-blocking software named AdGuard reported that a highly-popular application known as GO Keyboard has been detected to gather detailed personalized data from the devices of its customers without informing the latter or asking for their consent in an explicit manner. The app itself is used to for customization of the user’s keyboard but apparently, it serves other unrelated tasks as well.
The information that, according to AdGuard, is being gathered by GO Keyboard consist of the user’s language, Google account e-mail, the device’s location, its screen size, model, Android version among others. This is indeed detailed information that most apps would never require. However, in the current case, the user isn’t even asked for an explicit permission so that the app would be allowed to collect the aforementioned details.
Another issue with this app is that it has been reported to execute third-party code from dozens of ad networks and web trackers. In addition, after the installation of the main application has been completed, an additional file is being downloaded without the customer’s knowledge .
The application is still available!
The researchers at AdGuard have informed Google regarding the suspicious behavior of the Go Keyboard application, however no action seems to have been taken yet by Google towards removing the app from the Store (temporarily or permanently). Though the report was filed a few days prior to the writing of this article, when we checked whether or not the Go Keyboard application was still available in the Google Store, we found out that it hasn’t been taken down.
There are two versions of this app that are said to be executing the undesirable third party code and collecting user data – GO Keyboard – Emoticon keyboard, Free Theme, GIF and GO Keyboard – Emoji keyboard, Swipe input, GIFs. If you are currently using either one of the two, know that your personal data might be getting collected by the application without your knowledge or agreement. Both of the GO Keyboard apps seem to be highly popular as their installation counts go between 100 and 500 million users. The applications’ developer is a Chinese company known as GOMO apps. No statement has been given by GOMO apps on the topic of their applications presumably collecting extensive private data without being authorized by the customers.