A popular unofficial Android keyboard app that has been installed more than 40 million times, secretly engages in click-fraud and steals money from users by signing them up to paid subscriptions without their knowledge, researchers with Upstream have discovered. While the Ai.type app was actually booted from the Google Play Store in June of this year, it continues to run on millions of devices and is still available on third-party app stores.
The researchers explain that when a user installs the app, it will “stealthily connect the user to advertising services, then execute dynamically provided code that can be used to create fake ‘clicks’ on the mobile advertisements served to the user’s device.” While the click-fraud activity stays hidden to the user, it does drain the battery of the device and increases mobile data use. Moreover, the app subscribes users to paid online services without their consent. This functionality has been observed across 13 different countries.
Read more: Sketchy Android keyboard app with 40M downloads makes money off unauthorized purchases