Popular Android App “Go Keyboard” Caught Tracking Millions of Users

Popular Android App “Go Keyboard” Caught Tracking Millions of Users

Go Keyboard, a popular keyboard app for Android, has been accused of secretly tracking users.

Security researchers released a warning earlier this week saying that two versions of Go Keyboard were sending personal information to remote servers and executing unauthorized code on devices.

Go Keyboard is created by a China-based company named GOMO Dev Team.

Both versions of the keyboard are freely available from the Google Play Store. One is called GO Keyboard – Emoji keyboard, Swipe input, GIFs, and the other is called GO Keyboard – Emoticon keyboard, Free Theme, GIF.

The SMS tracking problem was spotted by researchers at Adguard. Researchers spotted suspicious traffic being sent and received by the keyboard apps and decided to investigate. Earlier this year, a keyboard called Touchpal was caught displaying ads on HTC phones under similar circumstances. Researchers eventually determined that the GOMO Dev Team was collecting sensitive personal information about users without their explicit permission.

Some of that personal information included the email address associated with your Google Play Store account, your network type, screen size, Android version, and build number.

The keyboard apps were also caught communicating with tracking networks and executing code from a remote server.

Making things look even worse for Go Keyboard is that some of the downloaded plugins are marked as adware by multiple antivirus programs.

Go Keyboard May Be Violating the Google Play Store’s Rules

Google forbids developers from collecting the email address associated with your Google Play login without your permission. They also block developers from executing code on your device from a source outside the Google Play Store. Both actions violate the Malicious Behaviors section of the Developers Policy Center.

Go Keyboard is violating two specific policies:

  • Apps that steal a user’s authentication information (like usernames or passwords) or that mimic other apps or websites to track users into disclosing personal information
  • Apps or SDKs that download executable code, like dex files or native code, from a source outside the Google Play Store

Does Go Keyboard Track Everything You Type?

Users are worried that the GOMO Dev Team is tracking everything you type. After all, that’s one of the biggest concerns when using a third-party keyboard app. Most people type sensitive information into their smartphone on a daily basis – from bank accounts to passwords to SMS messages. We rarely stop to think about our keyboard tracking every keypress or monitoring our smartphones.

At this point, Adguard hasn’t found any hard evidence that Go Keyboard tracks your keypresses and sends that information to a remote server.

Adguard has, however, passed their findings onto Google, and is awaiting a response.

Nevertheless, the Go Keyboard apps listed above have been downloaded 200 million times. This is one of the most frightening parts of this SMS tracking incident: many Android users assume apps with a large number of downloads are perfectly safe to use. As we learned in this incident, that’s not always the case.

Consider deleting Go Keyboard from your app and replacing it with a more legitimate keyboard app – like your default Android keyboard.

If you do want an app that tracks SMS messages, location, app activity, photos, camera footage, and more, then consider downloading SpyStealth. The popular Android tracking app has been used by everyone from cautious parents to employers.