The Android version of the popular virtual keyboard app ai.type has attempted to make over 14 million unauthorized transactions that could have cost the users US$18 million in unwanted charges, reads a report from mobile technology firm Upstream.
The attempted purchases came from 110,000 unique devices across 13 countries. Traffic was mainly high in North Africa and South America, with the illicit activity going through the roof in July of this year and continuing for the following two months. This was actually after the app was pulled from the Google Play store in June.
The app, which has been downloaded over 40 million times, promises to personalize your keyboard with different emojis and fonts and includes features like learning your writing style and auto-correcting your typing mistakes. In fact, you may recall that the app also made headlines last year, when it emerged that its developers had left the personal data of more than 31 million users exposed on an unprotected server.
Upstream has now found that ai.type, once downloaded to a smartphone, starts making unauthorized purchase requests for premium digital content. The app has been subscribing users to premium services using software development kits (SDKs) with “obfuscated hard-coded links back to advertising trackers”.
“These SDKs navigate to the ads via a series of redirections and automatically perform clicks to trigger the subscriptions,” said Upstream. All of this takes place in the background, so users are none the wiser. It also takes on the guise of other popular apps such as Soundcloud to carry out some of these activities.
Users may have been tipped off by the long list of permissions the app requested, including read access to text messages, photos, videos, contact data and also access to on-device storage. Needless to say, you should always be wary of what kinds of permissions you grant to apps.
The app's users are well advised to check their smartphones for any indication of strange behavior and remove the rogue app. You should also check if you may have been charged for services you have not ordered.
As Threatpost notes, the app is still available in alternative Android marketplaces, as well as in App Store, although Apple is said to be looking into the app’s functionality now. Forbes writes that there’s actually a new version of Ai.type in Google Play but without the same malicious functionality.
The app’s shenanigans may remind some readers of a subscription scam that ESET researchers uncovered last year and but that relied solely on user inattention.