40 million emoji-addicted keyboard app users left with $18m bill – after malware sneaks into Play Store yet again Malicious code slipped into a popular Android keyboard app racked up millions of dollars in fraudulent charges for unlucky punters. The Secure-D research team with mobile security specialist Upstream Systems reports this week that as much as $18m in bogus fees were run up by ai.type, an on-screen keyboard replacement that has …
"Anyone who is using the ai.type keyboard would be well advised to delete it ASAP. As it is no longer in the Play Store there is no risk of new infections there, but anyone using third-party services should avoid downloading the keyboard if they see it."
OK. lets pop over to the defacto second-party app store that is apparently now safe and see what people are downloading instead.
...oh that would be another one of the variants from the same author, so lets see what appbrain has to say about this bloatfest...
No surprise, equally stuffed full of SDKs and adverts. https://www.appbrain.com/app/ai-type-keyboard-plus-emoji/com.aitype.android.p
and a long term history of malware distribution it seems, going back to at least 2013 https://www.mywot.com/en/scorecard/aitype.com
Centralised app stores just make it easier for malware to be distributed and trusted unthinkingly by users. I would argue it would be more secure to distrubute apps on random websites, on average, since the malware authors would have to put in more effort to get punters to their dodgy website. It's clear Google does very little, if any, checking of apps, and the system is gamed very easily. Apps stores are really about extracting maximum revenue and user data from a platform.
Yes and no. The problem is more because of what google allow in apps.
F-Droid do not have a malware problem because they only allow apps they can build from public source, and do not allow certain SDKs including adverts.
1) the discourages people from making apps that only serve to create money
2) discourages people from prepackaging open source apps as their own to generate money
3) makes it difficult to hide any malware
I've never given Google or Apple my credit card or bank details. On the rare occasion I need to purchase premium content I buy a gift card from a store and activate that. I can therefore restrict any potential losses that way. Fortunately my Apple phone is provided for me and I didn't have to provide any financial details. It's also locked down in terms of what I can have on there.
For me - suffering from fat finger syndrome (they are actualy quite wide at the tips) - something like "Swype" is much more practical and comfortable than the standard keyboard that seems to have been specced with dimensions based on women and kids.
The bigger question is how this stuff persist despite the assertion that Play store (or whatever its called now) is a safe source for downloads
Because the standard ones are cr@p.....
I use SwiftKey on Android, but work won't let me update the iPhone one, which I always struggle with. Yeah I know, fat fingers probably.
SwiftKey allows all sorts of things, like drag/drop sizing so you can balance fat fingers with how much of the screen you're prepared to lose.
Well, some keyboards just provide a betters user experience than regular keyboards. The traditional qwerty layout has some basic flaws because it was developed for mechanical typewriters. To fit on a smartphone the keys have to be very narrow.
Other keyboards that solve this by adding mobile-optimized layouts. Typewise for example is a very cool project and is currently available as a free beta. It also has no internet connection permission so the user can be sure that no information will ever leave the device. That's a big problem with other keyboards in my view.
Because the standard word-prediction logic in the standard keyboard is shit, and there's much better available elsewhere.
Plus I like my keyboard with arrow keys, and keys designed to make selection/copy/paste much easier.
Plus there are indeed specialized keyboards, such as ones designed to work with ssh terminal apps like ConnectBot.
This post has been deleted by its author
Because right now there are several ai.type keyboards listed on Play store.
I thought the name seemed familiar as I'd installed a tablet version years ago for the Nexus 7 because it offered a split keyboard option and had been recommended in one of the android mags at the time.
ai.type company is still on Google play right now with emoji keyboards , themes, add ons. Could there be a genuine company and a rogue app with the same name that's been banned ?
As for why do people install 3rd party keyboard apps? Well I don't feel the need now but years ago the standard Google keyboard app was pretty awful.
And there's a reason I don't let a site save my payment information. In fact, as far as the Google Play store is concerned, the only thing I use for payment there is a GooglePlay "gift card". There's a very strict limit that way of how much they can rip me off for.
Would be so much nicer if the one-use credit card number systems had gained popularity. I suspect it was the very same companies that like to hit you with random charges and un-cancelable subscriptions who made sure those never got widely implemented (can't have the potential victims actually protecting themselves).
I predict that this app will be back on Google's Play store within a week.
The developer will say something along the lines of "We take users privacy and security seriously"
The malware will be blamed on a third party advertising SDK that "tricked" the developers into inserting into the app.
We will be reading a similar article about another dodgy app just like this next month.
How did I do?
Placing details on your mobile with how to pay with google pay and backing apps will now become primary targets. I don't have any choice about using android but I can deny them access to backing information. If you are concerned about your mobile remove your banking details and request replacement cards. There doesn't seem any point explaining the circumstances just tell them it's lost or stolen as I did.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
