Over a billion users could be at risk from keyboard logging app security flaw

Most Chinese mobile manufacturers used vulnerable keyboards, experts claim

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

Almost a billion mobile users, holding various devices, could have had their communications revealed to malicious third parties, a report from cybersecurity researchers Citizen Lab claims.

It says different device manufacturers have used different keyboard apps which were relaying unencrypted communications, transmitting keystrokes via plaintext, and similar. Tencent QQ Pinyin, Baidu IME, iFlytek IME,SamsungKeyboard on Android, Xiaomi (with keyboard apps from Baidu, iFlytek, and Sogou), OPPO, Vivo, Honor, all of these allowed potential threat actors to decrypt Chinese mobile users' keystrokes, completely passively, and without the users needing to send any extra network traffic.

The team says it believes the keyboard apps found on these devices were “revealing the contents of users’ keystrokes in transit”.

Keeping private talk private

The only manufacturer whose keyboard app was secure is Huawei, the researchers said. As forAppleandGoogle, neither app has a feature to transmit keystrokes to cloud servers for cloud-based communications, it was said, which made it impossible to analyze the keyboards for the security of the feature.

“However, we observed that none of the mobile devices that we analyzed included Google’s keyboard, Gboard, preinstalled, either,” the researchers claim.

The researchers disclosed their findings to the manufacturers and say that as of April 1, almost all have addressed their issues. Only Honor and Tencent (QQ Pinyin) still remain a work in progress.

To defend from potentialeavesdroppers, users should keep their apps and mobileoperating systemsupdated, and use a keyboard that fully works on the device. Developers, on the other hand, are advised to use well-tested and standard encryption protocols, instead of building their own, potentially vulnerable versions,The Hacker Newsreports.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“Given the scope of these vulnerabilities, the sensitivity of what users type on their devices, the ease with which these vulnerabilities may have been discovered, and that the Five Eyes have previously exploited similar vulnerabilities in Chinese apps for surveillance, it is possible that such users' keystrokes may have also been under mass surveillance,” the researchers concluded.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption