Thursday, July 7, 2016

Android Flash Keyboard Hijacks Lock Screen, Violates Privacy

SecurityWeek News (via @SwiftOnSecurity):

A third-party keyboard application for Android that had over 50 million installs was found to collect user data and send it to a remote server, Pentest Limited researchers reveal.


Right from the start, however, Flash Keyboard raises a red flag, given that it asks for a great deal of permissions that it isn’t supposed to have. It can run at startup, can read and write home settings and shortcuts, can use network and Bluetooth as it likes, can modify system settings, disable the lock screen, force-stop other applications, and read the status of phone, user ID, and more. […] Moreover, Flash Keyboard uses device admin APIs that allow it to replace the standard Android lock screen with its own custom lock screen, which is monetized by displaying custom ads.


The researchers discovered that the application was communicating with servers in several countries, including the United States, the Netherlands, and China, and that it sent the following information to them: device manufacturer and model number, IMEI, Android version, user email address, Wi-Fi SSID, Wi-Fi MAC, mobile network, GPS co-ordinates, information about nearby Bluetooth devices, and details of any proxies used by the device.

Comments RSS · Twitter

Leave a Comment