A popular keyboard app called Flash Keyboard was found by security firm Pentest to be asking for “excessive permissions”, including a number it deemed “dangerous”, with user data sent to servers in the US, Netherlands and China.

The app, by Hong-Kong based DotC United, requests permission to access the camera (“a strange permission for a keyboard application to request”) and to connect to paired Bluethooth devices, for instance, which Pentest said was “in excess of what would be required for the normal operation of a keyboard application”.

It was also found that the app is difficult to uninstall because it had been granted device administrator privileges.

This also means admin API functions could be added in future updates without notification to the user. Developers could update the app to remotely lock the device, set a screen unlock password “essentially holding the user to ransom”, disable the camera, and even remotely wipe the device.

The data being sent to China was possibly for the use of analytics, the firm believes, because encoded data was sent to TalkingData, an independent Chinese big data service platform with focus on the mobile internet.

The app, which was installed between 50 million and 100 million times in February when the research was started, makes reference to valuing user privacy in its Play Store description, though this was found not to be the case.

Pentest said it notified Google in April and although no official response was received, as of 6 June the app was removed from the Play Store.

However, another app called Flash Keyboard Lite by a developer called ‘‘Flash Keyboard team’’ has since appeared.

An initial inspection by Pentest shows it to be built from the same original code as Flash Keyboard.

Pentest believes the original app was not written by the developers to be intentionally malicious, but added that through disregard for Android’s development policy and a desire to monitise a free app, it “deceives users, gathers personal information and obstructs uninstallation”.

“In more sinister hands, this application could covertly download updates that weaponises the application; to exploit the granted privileges for mass or even targeted surveillance,” Pentest said.