Keyboard apps from Samsung, Xiaomi, Oppo & Vivo leak everything users type to hackers

A recent investigation by Citizen Lab has uncovered significant security vulnerabilities across popular Chinese keyboard apps, affecting potentially billions of users. The bugs, identified in cloud-based pinyin keyboard apps, allow malicious actors to hack into devices and user accounts, by intercepting user data transmitted between devices and the cloud.

The study focused on analyzing preinstalled apps from major vendors including Baidu, Honor, Huawei, iFlyTek, OPPO, Samsung, Tencent, Vivo, and Xiaomi. Shockingly, eight out of nine vendors were found to have critical vulnerabilities, leaving user data exposed to interception by passive network eavesdroppers.

Only Huawei emerged unscathed from the security audit conducted by Citizen Lab.

The implications of these studies are profound — bugs such as these could have impacted hundreds of millions of users, particularly given the widespread adoption of Honor, OPPO, and Xiaomi smartphones in  China and its neighbours.

The nature of these bugs allowed attackers to intercept users’ keystrokes when they were in transit. This, in turn, compromised sensitive information, ranging from text messages to financial details.

The crux of the issue lies in how typing data is transmitted over the internet. Unlike the Latin-based alphabet, pinyin keyboards used by a majority of mainland Chinese users send data to remote servers for predictive text functions. This reliance on cloud-based features renders the apps vulnerable to surveillance, effectively functioning as keyloggers.

While Citizen Lab promptly notified all affected vendors of the vulnerabilities, only Honor failed to address the issues by the specified deadline.

Most service providers have since patched the bugs, prompting researchers to advise users to update their apps and operating systems for enhanced security.

Moreover, to mitigate future risks to privacy and sensitive data, users are urged to transition away from cloud-based keyboard apps to those operating entirely on-device.

The revelations underscore the critical importance of robust security measures in mobile applications, particularly for widely used keyboard apps that handle vast amounts of personal data.

As cyber threats continue to evolve, proactive steps must be taken to safeguard user privacy and protect against potential exploitation by malicious actors.

(With inputs from agencies)