A keyboard app that has been downloaded more than 40 million times has rung up millions of dollars in fraudulent charges by secretly making premium purchases on a targeted device.
The mobile security firm Upstream reported the keyboard app a.type had resided in the Google Play app store until its removal in June 2019, but it can still found in third-party Android stores and remains in use by many people unaware of its malicious nature. The company noted and blocked some 14 million transactions took place from about 110,000 devices that have the keyboard, with most of the victims in Egypt and Brazil.
If all the charges had gone through, it would have cost the device owners about $18 million.
An Upstream spokesperson told SC Media the keyboard’s code contains infected software development kits (SDK) with hardcoded links to ads, making it able to subscribe the device owners to premium services without their knowledge or consent. This malicious activity is not initially embedded in the SDKs, but are downloaded after the app is installed.
“These SDKs navigate to the ads via a series of redirections and automatically perform clicks to trigger the subscriptions. This is committed in the background so that normal users will not realize it is taking place,” said Dimitris Maniatis, head of Secure-D at Upstream.
To maintain its persistence, the SDK obfuscates the links used to commit fraud, and the SDK downloads additional code to further complicate detection, he said.
Upstream said the keyboard’s developer, the Israeli firm ai.type LTD, is a legitimate company and was likely not aware the SDK included in the app was malicious.