An emoji keyboard application downloaded by tens of millions of Android users may have cost hoards of users in unwanted charges, by sneakily triggering the purchase of premium digital services.|
The app - ai.type - keyboard app is a customisable on-screen keyboard tool allowing users to customise the keyboard to their personal preferences.
It was available for download on Google Play until June 2019, when it was removed.
It claims more than 40 million users.
A report into the app by Upstream Systems said the app was behind millions of suspicious mobile transaction requests - many of which had been identified and blocked by the company's anti-fraud system, Secure-D.
The transactions came from more than 110,000 devices.
If they were not blocked, the total number of transactions could have cost users in 13 countries up to $18 million in unwanted charges.
The report did not state how many users were actually stung by the fraudulent behaviour from the app.
Secure-D launched an investigation into behaviour from the app following reports of strange transaction behaviour and the app's subsequent removal from Google Play.
Security experts found subscription verification texts to premium digital services on two devices examined as part of the investigation.
These confirmed unwanted subscription sign-ups that occurred without any user intervention.
The investigation also found the app had been delivering invisible ads and non-human clicks to its users.
A conclusion folllowing on from the investigation declared compromised mobile apps and mobile ad fraud was a "growing problem".
While Google Play was typically a safe source of Android apps, they could still be compromised.
"To avoid falling victim to data theft and unwanted purchases or subscriptions, Android users should immediately check their phones to see if they have any suspicious app installed," the report read.
Just last month Android users were advised to delete a series of apps that contained malicious software and could risk a major data breach.
The fifteen programmes were available through the Google Play Store, security experts at Sophos said.
Most act as an irritant, frequently blocking the phone screen with large and intrusive ads.
While all 15 have been removed from Google's download centre, they had been installed on more than 1.3 million devices.
One of the apps, Flash On Calls & Messages - also known as Free Calls & Messages - displays fake error messages when launched.
It then redirects you to Google Maps on the Play Store, leading users to believe that is responsible for the programme crash.
In order to fulfill the basic functions of our service, the user hereby agrees to allow Xiaomi to collect, process and use personal information which shall include but not be limited to written threads, pictures, comments, replies in the Mi Community, and relevant data types listed in Xiaomi's Private Policy. By selecting "Agree", you agree to Xiaomi's Private Policy and Content Policy .