The other day we told you about malware that keeps reinstalling itself on Android phones even after a factory reset. Today, we have a story about a typing app once found in the Google Play Store called ai.type. Installed over 40 million times, the app has been making purchases of premium digital content without permission from the phone's owner. Besides making these purchases, the app runs ads in the background and produces fake clicks to help bad actors generate revenue. It also sends to ad networks data containing real views, real clicks and real purchases. Security firm Upstream notes that the app has caused problems in 13 countries with those in Egypt and Brazil particularly vulnerable.
blocked unauthorized premium purchase requests coming from the Snaptube video app), prevented 14 million suspicious transactions related to ai.type from going through. These requests were made from only 110,000 devices that had installed ai.type. Had they not been blocked by Secure-D, these bogus premium purchases would have cost Android users over $18 million in unauthorized transactions.The Upstream Secure-D mobile security platform (the same security platform that
This app sent out verifying texts confirming subscriptions to premium content without the knowledge of the victim
The app, developed by an Israeli company called ai.type LTD, bills itself as a free emoji keyboard. And even though it was removed from the Google Play Store in June, it still remains on millions of Android devices. Not that long after it was booted from the Play Store, Secure-D spotted a surge in suspicious activity that peaked near 400,000 such events a day in August. Upstream suggests that anyone who installed the app on their phone check the device for unusual behavior. They should also go over their phone bills, looking for unauthorized or unknown premium charges. Additionally an increase in data consumption can also be the sign of a malware-laden app.
Explaining how this app is a threat to phone owners, Dimitris Maniatis, the head of Secure-D at Upstream, states that "ai.type contains software development kits (SDKs) with hardcoded links to ads and subscribes users to premium services without their consent. These SDKs navigate to the ads via a series of redirections and automatically perform clicks to trigger the subscriptions." Maniatis explains why users might not even notice that something is wrong by pointing out that "this is committed in the background so that normal users will not realize it is taking place. In addition, the SDKs obfuscate the relevant links and download additional code from external sources to complicate detection even from sophisticated analysis techniques. Bottom line: innocent users are paying for these hidden, unauthorized purchases and related data consumption whose source is buried in the app."
According to Upstream CEO Guy Krief, mobile advertising fraud is a $40 billion a year market. In any given region, he says that one in ten devices can be infected. Krief also points out that these apps are hard to spot and because they "(dress) up to appear as legitimate and often popular applications, undetected malware damages the industry’s reputation, leaving mobile operators and their customers to pick up the tab." With that in mind, ai.type has disguised itself as other apps including Soundcloud.
Images published by Upstream showed verification texts sent from infected phones without the knowledge of the handset's owner. These messages show how victims can find themselves on the hook for premium subscriptions that can charge users daily running up quite a bill. Upstream explains that virtual keyboard apps typically require high-level permissions and ai.type wanted permissions to text messages, photos, videos, contact data, and access to on-device storage. Secure-D considers this to be "dangerous" because it allows the app to read user’s contacts’ data, read or write to the phone’s external storage, gain access to the list of existing accounts on the device, and allows the app to record audio.
If you have ai.type on your Android phone, delete it immediately. There are other keyboard apps from the same developer including one for tablets, and lite and plus versions of the keyboard. Frankly, why take the risk? We'd stay away and uninstall all of them at this point.