(Photo: Unsplash)
Just two days ago we reported there was an unremovable malware affecting many Android devices, now an even bigger security threat is being exposed.
Ai.type, a typing app once found in the Google Play Store and was installed over 40 million times, is found to have been making purchases of premium digital content without permission from the phone's owner.
Besides making unauthorized purchases, Ai.type also runs ads in the background and produces fake clicks to help bad actors generate revenue. It also sends to ad networks data containing real views, real clicks and real purchases.
The app was removed from the Google Play Store in June and a search for it shows the following information on Play Store:
A search for “Ai.type” in Google shows “This site may be hacked.”
Ai.type Gone rogue
Ai.type is a customizable on-screen keyboard app developed by Israeli firm ai.type LTD, which describes the app as “the most personalized keyboard for mobile phones and tablets.”
The app has been caught making millions of unauthorized purchases of premium digital content, according to researchers at mobile technology company Upstream.
The app has been delivering millions of invisible ads and fake clicks, while delivering genuine user data about real views, clicks and purchases to ad networks.
Ai.type carries out some of its activity hiding under other identities, including disguising itself to spoof popular apps such as Soundcloud. The app’s tricks have also included a spike in suspicious activity once removed from the Google Play store, the Upstream report said.
Upstream says its Secure-D platform has so far detected and blocked more than 14 million suspicious transaction requests from only 110,000 unique devices that downloaded the ai.type keyboard.
If not blocked these transaction requests would have triggered the purchase of premium digital services, potentially costing users up to $18 million in unwanted charges.
The suspicious activity has been recorded across 13 countries but was particularly high in Egypt and Brazil.
Removed from store but still works
Despite the fact that the app was removed from Google Play in June 2019, it remains on millions of Android devices and is still available from other Android marketplaces.
Shortly after the removal from Google Play, in July 2019, suspicious activity spiked exponentially for a two-month period. It has since remained high, though in lower volumes than during the summer spike, according to Upstream.
Explaining how this app is a threat to phone owners, Dimitris Maniatis, the head of Secure-D at Upstream said:
Ai.type contains software development kits (SDKs) with hardcoded links to ads and subscribes users to premium services without their consent.
These SDKs navigate to the ads via a series of redirections and automatically perform clicks to trigger the subscriptions.
This is committed in the background so that normal users will not realize it is taking place.
In addition, the SDKs obfuscate the relevant links and download additional code from external sources to complicate detection even from sophisticated analysis techniques.
Bottom line: innocent users are paying for these hidden, unauthorized purchases and related data consumption whose source is buried in the app.
What you should do
If you have ai.type on your Android phone, you should delete it immediately. There are also other keyboard apps from the same developer including one for tablets, and lite and plus versions of the keyboard.
Upstream advises all consumers who have once downloaded ai.type to check their phones for unusual behavior.
Users should regularly check their phones and remove any reported malware. They should also check their bills for unwanted or unexpected charges for accessing premium data services and to look out for signs of increased data usage which could indicate a malicious app is consuming data in the background.
Previous data leaks
This is not the first time ai.type is involved in data breaches.
In December 2017, researchers at the Kromtech Security Center found that personal data belonging to over 31 million customers of ai.type had leaked online, after the app's developer failed to secure the database's server.
The server is owned by Eitan Fitusi, co-founder of AI.type, but it wasn't protected with a password, allowing anyone to access the company's database of user records, totaling more than 577 gigabytes of sensitive data.
The database appeared to only contain records on the app's Android users.
Each record contains a basic collected data, including the user's full name, email addresses, and how many days the app was installed. Each record also included a user's precise location, including their city and country.
Android app threats
This is the second Android app threat in two days.
As cnTechPost reported Wednesday, over the past six months, a new kind of Android malware named xHelper has reportedly infected more than 45,000 Android devices on which the malware can reinstall itself even after being manually removed.
The malware was first spotted in March but slowly expanded to infect more than 32,000 devices by August, and eventually it made its way to a total of 45,000 devices, according to Symantec.