back to article 40 million emoji-addicted keyboard app users left with $18m bill – after malware sneaks into Play Store yet again

Malicious code slipped into a popular Android keyboard app racked up millions of dollars in fraudulent charges for unlucky punters. The Secure-D research team with mobile security specialist Upstream Systems reports this week that as much as $18m in bogus fees were run up by ai.type, an on-screen keyboard replacement that has …

  1. Bobsbuddy

    Upside down

    Why is the crim reading the stolen credit card upside down?

    1. heyrick Silver badge

      Re: Upside down

      Probably explains the intent staring...

      Damn, what language is this? Why did I have to pick the difficult one?

    2. Oliver Mayes

      Re: Upside down

      He's communing directly with the chip, orientation is irrelevant.

      1. <script>alert('the register');</script>

        Re: Upside down

        Thanks Captain Killjoy

    3. Oh Matron!

      Re: Upside down

      Security by obscurity. It's printed upside down :-)

      1. GnuTzu
        Thumb Up

        Re: Upside down

        Shades of Steven Wright (or that Emo Philips, whatever your preference).

  2. Dr.Flay

    so glad google are keeping us safe.

    "Anyone who is using the ai.type keyboard would be well advised to delete it ASAP. As it is no longer in the Play Store there is no risk of new infections there, but anyone using third-party services should avoid downloading the keyboard if they see it."

    OK. lets pop over to the defacto second-party app store that is apparently now safe and see what people are downloading instead.

    ...oh that would be another one of the variants from the same author, so lets see what appbrain has to say about this bloatfest...

    No surprise, equally stuffed full of SDKs and adverts.

    and a long term history of malware distribution it seems, going back to at least 2013

    1. Luke McCarthy

      Re: so glad google are keeping us safe.

      Centralised app stores just make it easier for malware to be distributed and trusted unthinkingly by users. I would argue it would be more secure to distrubute apps on random websites, on average, since the malware authors would have to put in more effort to get punters to their dodgy website. It's clear Google does very little, if any, checking of apps, and the system is gamed very easily. Apps stores are really about extracting maximum revenue and user data from a platform.

      1. Dr.Flay

        Re: so glad google are keeping us safe.

        Yes and no. The problem is more because of what google allow in apps.

        F-Droid do not have a malware problem because they only allow apps they can build from public source, and do not allow certain SDKs including adverts.

        1) the discourages people from making apps that only serve to create money

        2) discourages people from prepackaging open source apps as their own to generate money

        3) makes it difficult to hide any malware

    2. JimboSmith Silver badge

      Re: so glad google are keeping us safe.

      I've never given Google or Apple my credit card or bank details. On the rare occasion I need to purchase premium content I buy a gift card from a store and activate that. I can therefore restrict any potential losses that way. Fortunately my Apple phone is provided for me and I didn't have to provide any financial details. It's also locked down in terms of what I can have on there.

      1. Dr.Flay

        Re: so glad google are keeping us safe.

        This ^

  3. Khaptain Silver badge

    Dodgy people and dodgy stuff

    "but anyone using third-party services should avoid downloading the keyboard if they see it."

    That's a bit like saying don't buy under the counter booze from your local drug dealer...

  4. Giles C Silver badge


    Do people need to download 3rd party keyboard apps in the first place.

    I can’t see the logic behind needing these unless you need something localised for a non roman character set, or?

    I am perfectly fine with a standard qwerty keyboard that the phone / tablet comes with.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why?

      For me - suffering from fat finger syndrome (they are actualy quite wide at the tips) - something like "Swype" is much more practical and comfortable than the standard keyboard that seems to have been specced with dimensions based on women and kids.

      The bigger question is how this stuff persist despite the assertion that Play store (or whatever its called now) is a safe source for downloads

    2. Dan 55 Silver badge

      Re: Why?

      Way do people need to download 3rd party keyboard apps in the first place.

      Because I don't trust the Google Keyboard, every so often it's updated with a new slurpy option that you're opted into by default.

    3. Anonymous Coward
      Anonymous Coward

      The problem here isn't the third party keyboard

      The malware embedded in this could be embedded in any type of app. Are you going to say "why do people need other browsers / messaging apps / games" if the same malware was installed in one of them?

    4. Andytug

      Re: Why?

      Because the standard ones are cr@p.....

      I use SwiftKey on Android, but work won't let me update the iPhone one, which I always struggle with. Yeah I know, fat fingers probably.

      SwiftKey allows all sorts of things, like drag/drop sizing so you can balance fat fingers with how much of the screen you're prepared to lose.

    5. Big_Berny

      Re: Why?

      Well, some keyboards just provide a betters user experience than regular keyboards. The traditional qwerty layout has some basic flaws because it was developed for mechanical typewriters. To fit on a smartphone the keys have to be very narrow.

      Other keyboards that solve this by adding mobile-optimized layouts. Typewise for example is a very cool project and is currently available as a free beta. It also has no internet connection permission so the user can be sure that no information will ever leave the device. That's a big problem with other keyboards in my view.

    6. Gene Cash Silver badge

      Re: Why?

      Because the standard word-prediction logic in the standard keyboard is shit, and there's much better available elsewhere.

      Plus I like my keyboard with arrow keys, and keys designed to make selection/copy/paste much easier.

      Plus there are indeed specialized keyboards, such as ones designed to work with ssh terminal apps like ConnectBot.

    7. Dr.Flay

      Re: Why?

      Q: Why ?

      A: Emoji

    8. Jamie Jones Silver badge

      Re: Why?

      It's "Hackers keyboard" or nothing. The default and most others are kids popcorn.

  5. This post has been deleted by its author

  6. mrmond

    Gone from the Play store?

    Because right now there are several ai.type keyboards listed on Play store.

    I thought the name seemed familiar as I'd installed a tablet version years ago for the Nexus 7 because it offered a split keyboard option and had been recommended in one of the android mags at the time.

    ai.type company is still on Google play right now with emoji keyboards , themes, add ons. Could there be a genuine company and a rogue app with the same name that's been banned ?

    As for why do people install 3rd party keyboard apps? Well I don't feel the need now but years ago the standard Google keyboard app was pretty awful.

  7. jelabarre59 Silver badge

    No saved payment

    And there's a reason I don't let a site save my payment information. In fact, as far as the Google Play store is concerned, the only thing I use for payment there is a GooglePlay "gift card". There's a very strict limit that way of how much they can rip me off for.

    Would be so much nicer if the one-use credit card number systems had gained popularity. I suspect it was the very same companies that like to hit you with random charges and un-cancelable subscriptions who made sure those never got widely implemented (can't have the potential victims actually protecting themselves).

    1. Gene Cash Silver badge

      Re: No saved payment

      > Would be so much nicer if the one-use credit card number systems had gained popularity

      Oh hell yeah. I wonder if El Reg could dig in and find out why that died? It seems to be a great anti-fraud technique.

      1. e^iπ+1=0

        one-use credit card number

        Not completely dead - e.g. Revolut offer disposable card numbers. Not a credit card, more like a prepaid card.

  8. Anonymous Coward
    Anonymous Coward

    I'm a psychic and can see into the future...

    I predict that this app will be back on Google's Play store within a week.

    The developer will say something along the lines of "We take users privacy and security seriously"

    The malware will be blamed on a third party advertising SDK that "tricked" the developers into inserting into the app.

    We will be reading a similar article about another dodgy app just like this next month.

    How did I do?

  9. Anonymous Coward
    Anonymous Coward

    Surely this is grounds for Google refunding all affected users?

  10. HildyJ Silver badge

    Live by emojis, die by emojies

    I blame millenials.

  11. MatsSvensson

    Let me guess:

    This app requires the following rights:

    * Every-fucking-thing.

    [ Accept ]

  12. HmYiss

    so you installed an app called ai.type

    and now u been firked.

    yep... thats hitting a bit fat zero on the sympathy gauge.

  13. Imhotep Silver badge

    Certified Emoji Translator

    When contacted for comment, the ai.type developers responded with a sad face emoji.

    We're still working on the thousand word translation.

  14. JimPoak

    The moral of this story is...

    Placing details on your mobile with how to pay with google pay and backing apps will now become primary targets. I don't have any choice about using android but I can deny them access to backing information. If you are concerned about your mobile remove your banking details and request replacement cards. There doesn't seem any point explaining the circumstances just tell them it's lost or stolen as I did.

    1. Adelio Silver badge

      Re: The moral of this story is...

      I am too set in my ways (Or just caucious) but I see no need to give my phone any payment details. The same as I would never (In a million years) install a banking app on the most unsecure device going (A Moblile phone)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021