Ai.type, an Android app that has earned over 40 million downloads as a “Free emoji keyboard” has been recently caught red-handed engaged in fraud.
By unauthorizedly purchasing premium digital content on smartphones, the app made millions of transactions resulting in it commanding huge sums over the course of its scam.
Caught by Secure-D, a fraud detection platform by Upstream, the app was successful in its shady endeavors through a range of tactics including the displaying of invisible ads and spoofing identities of other apps like Soundcloud.
While the preceding damage may have been substantial, Secure-D reports that by blocking over 14 million unauthorized transactions from a mere 110,000 devices, it has saved users a cumulative value of approximately $18 million. Although these transactions were recorded in 13 countries, Egypt and Brazil saw the highest numbers.
Secure-D’s carried out their research on two devices and found subscription verification texts to premium digital services on both devices, confirming unwanted subscription sign-ups that occurred without any user intervention.
Static and behavioral analysis showed that the ai.type versions installed on each device contained SDK frameworks with obfuscated hard-coded links back to advertising trackers.
These are servers used by mobile advertising networks to serve and display ads based on their inventory, and track who needs to be paid when a conversion (usually a sale or download) takes place, the company wrote in its blog post.
Moreover, despite the app being removed from the Google Play Store in June 2019, Android users did not delete the app and neither did other Android marketplaces take action which led to the app continuing to cause damage. What’s even more surprising is that the very next month, a huge spike was seen in its activity perhaps achieving the opposite effect of what Google may have ever wanted to intend.
Ai.type keyboard app subscription screenshot before it was removed by Google from Play Store in July 2019.
Meanwhile, the CEO of Upstream has rightly commented stating that,
The mobile advertising fraud market is worth some $40bn annually. In any given market one in ten devices are infected with malware.
Dressing up to appear as legitimate and often popular applications, undetected malware damages the industry’s reputation, leaving mobile operators and their customers to pick up the tab.
Yet, we believe that there is more than can be done, particularly by Google. For starters, they should have immediately informed users who had installed the ai.type on their smartphones with a push notification prompting them to delete the app on account of fraud.
This is essentially more important when we realize that the average layman does not pursue cybersecurity blogs and would really have no idea of the current developments surrounding a particular app.
Furthermore, Secure-D’s research revealed that Ai.type Android app asks for dangerous permission such as:
Allowing the application to read the user’s contacts’ data
Allowing the application to read or write to the phone’s external storage
Allows access to the list of existing accounts on the device
Allows the application to record audio.
NOT for the first time
This, however, is NOT the first time when Ai.type app has been caught in the act. In 2017, the company was found collecting personal data of its users after its database with 31 million records was leaked online.
The exposed data at that time included full name, phone number, device name, model number, screen resolution, SMS number, mobile network name, Android version, user languages enabled, IMSI number, IMEI number, country of residence, email address, links and the information associated with the social media profiles including photo and in some cases IP addresses.
Nevertheless, despite it being removed earlier this year as reported earlier, we can find the malicious app in question once again on the Play Store alongside other apps of the same company – ai.type LTD which is an Israeli based firm.
This is alone a serious indicator of the lack of repercussions certain developers are facing on criminal behavior.
It is Google’s responsibility to ban any firms involved in such activities for an extended period of time along with removing their other applications in order to act as a deterrent for others.
Ai.type is disguised as a free treat for mobile users. It is a customizable on-screen keyboard app developed by Israeli firm ai.type LTD, which describes the app as a “Free Emoji Keyboard”. Despite the fact that the app was removed from Google Play in June 2019, the app remains on millions of Android devices and is still available from other Android marketplaces. Shortly after the removal from Google Play, in July 2019, suspicious activity spiked exponentially for a two-month period. It has since remained high, though in lower volumes than during the summer spike.
 As instructed by a Command & Control Server
Upstream CEO, Guy Krief, commented:“Malware can be responsible for creating millions of dollars of fraudulent mobile advertising revenue. It seriously impacts consumers’ pockets and mobile service experience by eating up their data, incurring unwanted charges, and affecting the performance of their phones.
The mobile advertising fraud market is worth some $40bn annually. In any given market one in ten devices is infected with malware. Dressing up to appear as legitimate and often popular applications, undetected malware damages the industry’s reputation, leaving mobile operators and their customers to pick up the tab.”
Head of Secure-D at Upstream, Dimitris Maniatis, explains more about how the app tricks users: “Ai.type contains software development kits (SDKs) with hardcoded links to ads and subscribes users to premium services without their consent. These SDKs navigate to the ads via a series of redirections and automatically perform clicks to trigger the subscriptions. This is committed in the background so that normal users will not realize it is taking place. In addition, the SDKs obfuscate the relevant links and download additional code from external sources to complicate detection even from sophisticated analysis techniques. Bottom line: innocent users are paying for these hidden, unauthorized purchases and related data consumption whose source is buried in the app.”
Upstream is advising all consumers who have downloaded ai.type to check their phones for unusual behavior. Users should regularly check their phones and remove any reported malware. They should also check their bills for unwanted or unexpected charges for accessing premium data services and to look out for signs of increased data usage which could indicate a malicious app is consuming data in the background.
Upstream works directly with mobile operators to pro-actively safeguard their subscribers against fraud on their mobile devices – and currently protects tens of millions of mobile users worldwide. Its Secure-D anti-fraud platform uses machine learning algorithms to determine the transactions that are most likely to be fraudulent and uses behavioral patterns to detect anomalies and unwanted transaction patterns. In 2018 alone, Upstream processed more than 1.8 billion mobile transactions, identified more than 30 million infected devices, and blocked more than 63,000 malicious apps with Secure-D.