The Flash Keyboard app has been downloaded more than 50 million times -- but is capable of some extremely dangerous behaviors.
"It looked like it was a convenient keyboard that had some nice features," said Bill Anderson, chief product officer at mobile security company OptioLabs. "The marketing copy in the app store looked great."
For a while, the app was in the top 20 downloads for the Google Play Store, he added.
"The problem was that it asked for just about every permission that an app could ask for," he said. "It was an especially long list. And surprisingly, most people said yes. But the permissions were so excessive that it turned this thing into a potentially marvelous way to hack phones."
There is no evidence that the app itself did anything malicious, he said, but it did do some things that were questionable.
"In particular, it was found to be opening up a net connection, and sending some data it was collecting from the phone to a server somewhere else," he said. "The data was the device, manufacturer, model number, the Android version, the owner's email address, all of the Wifi addresses that it could see, the cell network it was on, the GPS coordinates of where the phone was, information about any of the Bluetooth devices it could see, and information about any web proxies it could see."
Once the data is collected, it could also be used to create a very deep personal profile of users, shared with third parties, and vulnerable to state-sponsored hackers and criminals.
None of this is information that a keyboard app needs to have, he added.
"But it's certainly good information to have if you wanted to track users and send them targeted advertisements, and that was probably what was going on here," he said. "It was doing that without informing the user, which was the problem, and ultimately got it removed from the store."
However, the app popped right back up again, and now stands at over 700,000 downloads."It looks as though the same group of people has put it up again," Anderson said.The developer is DotC United, based in Hong Kong.
There are also some permissions that are particularly worrying.For example, the app asks for the ability to download new files without notifying the user.
"Normally, if an app tries to download a file, it has to pop up a notification on the user screen," he said. "This one can potentially update itself with code that was actually malicious. It is a potential vector for a Trojan horse that could turn into something else in the future."
Sign up for CIO Asia eNewsletters.