A.I.type: Virtual keyboard app emerged as the biggest Android threat

RapidVPN/ November 28, 2019/ Blog/

The virtual keyboard app A.I.type, which has racked up 40 million downloads, has been found to sign up users to premium services without their consent.

A.I.type is a customizable on-screen keyboard app for mobile devices that allows end-users to customize the keyboard to their personal preference. It also learns the user’s writing style over time, anticipating commonly used words and phrases to speed up the written composition. Developed in Israel by ai.type Ltd., the app was available on Google Play until June 2019 when it was removed. It has driven more than 10 million downloads on Google Play store and claims more than 40 million users. The A.I.type app was removed from Google Play in June 2019 – but remains on millions of Android devices and is still available from other Android marketplaces.

Upstream’s security platform Secure-D identified and blocked more than 14 million suspicious transaction requests originating from the ai.type keyboard app. These transactions came from more than 110,000 unique devices and if not blocked, would have triggered the purchase of premium digital services, potentially costing users in 13 countries up to $18 million in unwanted charges. Most of the suspicious activity, which is still on-going, took place in Egypt and Brazil.

A.I.type’s popularity and useful features have been used to disguise systematic and worrying activity. This happens in the background without the user being aware and includes fake ad views and attempted digital purchases.

While the activity is partly targeted at advertisers, it affects users in the following way: Subscribes users to premium services depleting their mobile data and adding charges that eat into their prepaid airtime. In many emerging markets, using prepaid airtime is the only way to pay for digital services.

Compromised mobile apps and mobile ad fraud are a growing problem

 To avoid falling victim to data theft and unwanted purchases or subscriptions, Android users should immediately check their phones to see if they have any suspicious app installed. If so, they should uninstall it immediately and review any new mobile airtime charges for possible fraud.

In most cases, Google Play is a safer source of Android apps – but even apps from legitimate sources can be compromised. Before any installation, users should check the app’s reviews, developer details, and list of requested permissions, making sure that they all relate to the app’s stated purpose.

As Threatpost notes, the app is still available in alternative Android marketplaces, as well as in App Store, although Apple is said to be looking into the app’s functionality now. Forbes journalist Kate O’Flaherty writes that there’s a new version of A.I.type in Google Play but without the same malicious functionality.

Test results

Researchers said that in testing, they reviewed the app’s impact on a Samsung SM-J500F and a Samsung GT-19500. The A.I.type versions installed on each tested device contained SDK frameworks with obfuscated hard-coded links back to advertising trackers, used by mobile advertising networks to display ads. Also, the app downloads additional JavaScript code that can be used to perform automated clicks. The app then disguises itself as popular apps – such as SoundCloud – and subscribes users to premium services, which depletes mobile data and adds charges, as well as reduces the battery life and overall performance of the device.

In terms of how the victims’ payment information is used for the premium services, “These are digital services charged via direct carrier billing, using the mobile airtime of the users,” Upstream researchers told Threatpost. “No need to access any bank account number.”

The one red flag that might tip users off that something is amiss is subscription verification texts; these may be sent from premium digital services to victim devices to confirm their participation.

In addition to subscriptions, the app also requires a broad number of permissions from users that Upstream researchers classify as “dangerous” – including permissions to access and view text messages, photos, videos, contact data, and on-device storage.

It seems that malicious Android apps are popping up more than ever

Recently, a lot of experts have been commenting that the Google Play Store is getting out of hand. It is noticed that numerous developers are re-publishing apps caught for fraudulent behavior, under the same name, or a different app name.

So it goes without saying, if you use Android, you need to take steps to secure your device–and be careful about what you download as well as the permissions you allow your apps.

What is the best advice that we can give?

Google confirmed that the app had been removed from Google Play. However, Upstream advises anyone who has downloaded A.I.type to check their phones for unusual behavior. This can include issues such as the battery depleting faster than usual, your device overheating, your data plan depleting or charges for premium digital services that you haven’t purchased. If you spot any of these indicators, you have likely become a victim.

In general, Android users need to be more proactive about their security than those who use Apple’s iPhone. Meanwhile, read users’ reviews of apps–and not only the most recent ones. You should also have active and updated anti-virus running on your device. If you have already downloaded the app, you should delete it now.