Flash Keyboard – Dangerous App Downloaded By Millions

Let’s say the next time you go to a local retail store they ask you for your smartphone manufacturer, model number, version, your email address, all of the Wifi addresses that your phone could see, the cell network it’s on, the GPS coordinates of where the phone was, information about any of the Bluetooth devices it could see, and information about any web proxies it could see.

Would you give this info to them? Not on your life. Surprisingly, over 50 million people willingly coughed up this data to access a simple keyboard app. Why would they do that?

Impatient & Click Happy

Today’s mobile consumer desires instant gratification like never before. Nobody reads the fine print anymore. Instead we blindly click “Install and Accept” without hesitation when downloading mobile apps. When you do this with the Flash Keyboard app you give up an impressive laundry list of permissions. Here is a list of permissions, which is actually chilling:

Device & app history

  • read sensitive log data
  • retrieve running apps

Identity

  • find accounts on the device
  • read your own contact card

Contacts

  • find accounts on the device
  • read your contacts

Location

  • precise location (GPS and network-based)
  • approximate location (network-based)

SMS

  • read your text messages (SMS or MMS)

Phone

  • read phone status and identity
  • reroute outgoing calls

Photos/Media/Files

  • modify or delete the contents of your USB storage
  • read the contents of your USB storage

Storage

  • modify or delete the contents of your USB storage
  • read the contents of your USB storage

Camera

  • take pictures and videos

Wi-Fi connection information

  • view Wi-Fi connections

Device ID & call information

  • read phone status and identity

Other

  • download files without notification
  • read Home settings and shortcuts
  • write Home settings and shortcuts
  • read Home settings and shortcuts
  • write Home settings and shortcuts
  • force stop other apps
  • run at startup
  • update component usage statistics
  • full network access
  • view network connections
  • read terms you added to the dictionary
  • run at startup
  • control vibration
  • add words to user-defined dictionary
  • draw over other apps
  • modify system settings
  • install shortcuts
  • uninstall shortcuts
  • connect and disconnect from Wi-Fi
  • close other apps
  • Google Play license check
  • disable your screen lock
  • send sticky broadcast
  • change network connectivity
  • pair with Bluetooth devices
  • access Bluetooth settings
  • read battery statistics
  • prevent device from sleeping

Data Use Intent

So what’s the Hong Kong based DotCUnited (the app developer) planning to do with all this info? For starters, they track users and send targeted ads. Perhaps that’s the full intent, however, nobody can know for sure. The possibilities are even more frightening than the permission list. With the info accessed the app provider could:

  • Create deep user personal profiles
  • Share data with third parties
  • Expose users to state-sponsored hackers and criminals

But wait. There’s more…

Ransomware Risk

If you read the permission list carefully, you note that the app is allowed to download files without permission. This means code updates with malicious files/Trojan horse vectors could happen right under the user’s nose.

The install shortcut is also fraught with potential hazards.

In a recent article in Network World, Bill Anderson, chief product officer at OptioLabs says, “It sounds quite innocuous, but it turns out that it lets you replace the home screen with its own home screen for login, so it could have its own code for you to open up the Android phone. They didn’t do this, but it offers an opportunity to do ransomware — I could charge you money to unlock your phone.”

Tough To Exterminate

According to Pentest, the app violates Google policies about deceptive behavior by swapping your lock screen for one that displays ads. The app also hides notifications, makes removal difficult, and sends information to third parties without the user’s knowledge.

After complaints about Flash Keyboard, it was removed from the Google Play store. It has since appeared again with over 740,000 downloads and counting. Apparently, the app can even reinstall itself after being deleted.

Buyer Beware

For any app, be it free or paid, it’s imperative these days to carefully read the permissions list. If you’re not sure or feel uncomfortable, it’s probably best not to install.

Develop solid mobile security architecture for your organization. Contact OptioLabs today.

Share this blog