UPDATED on 25.09.2017, details are in the bottom of the article
Have you ever thought that your keyboard could be a professional spy? And we are not talking about jamesbondish handsome spies from Hollywood movies, but about the overt and constant home phoning of the personal information with its future distribution to third parties. Our recent research discovered a popular Android keyboard to spy on its users, with tons of personal information being sent to remote servers and using a prohibited technique to download dangerous executable code.
The goal of the research was to investigate keyboards' traffic consumption, unwanted behavior and demonstration of ads, and what users' private data they send to their servers and third-parties. We decided to test keyboard apps after the [recent story](https://blog.adguard.com/en/keyboard_ads/) with TouchPal, a keyboard, that started showing ads to HTC devices users right in the typing area. Why does it matter? A keyboard is an input tool wherethrough almost all your valuable private data passes. Just imagine, you enter your logins, passwords, texts of emails, and messages using your keyboard, and then - everything is sent (maybe even sold) to third-parties. GO Keyboard has become an absolute "champion" in this field. This app offers a "smart" keyboard with various colorful and attractive themes. It has 200M+ users all over the world and is developed by the Chinese GOMO Dev Team.
Besides being a popular ad blocker and a privacy protection utility, AdGuard for Android is also an excellent tool for inspecting the apps' traffic. The mighty filtering log shows you what exact web requests do your apps send, and the option to record a HAR (Http Archive) file lets you look into the request's body.
Unfortunately, everything listed above is a norm nowadays. Recent research showed that 7 in 10 mobile apps share your data with third-party services. However, this developer crossed the red line and directly violated the Google Play content policies - malicious behavior section.
Apps that steal a user’s authentication information (such as usernames or passwords) or that mimic other apps or websites to trick users into disclosing personal or authentication information.
Without explicit user consent, the GO keyboard reports to its servers your Google account email in addition to language, IMSI, location, network type, screen size, Android version and build, device model, etc.
Apps or SDKs that download executable code, such as dex files or native code, from a source other than Google Play.
Shortly after the installation, both apps downloaded and executed code from a remote server, directly violating this policy. Some of the downloaded plugins are marked as Adware or PUP by multiple AV engines.
What's important, given the apps' extensive permissions, remote code execution introduces severe security and privacy risks. At any time the server owner may decide to change the app behavior and not just steal your email address, but do literally whatever he or she wants. Remember, it's a keyboard, and every important bit of information you enter goes through it!
HAR files and plugins are available here.
UPDATE (25.09.2017): Almost every GO app (including even GO Music) has received an update on September 22. We have re-evaluated both keyboard apps and can confirm that the violations are gone now.