Afghanistan International reported in May 2026, citing informed sources, that Taliban authorities and the Islamic Republic of Iran had cooperated on the development of a mobile application allegedly capable of monitoring users inside Afghanistan.

The report referred to RTA Keyboard, also known as کیبورد ملی, a keyboard application associated with Afghanistan’s state broadcaster, Radio Television Afghanistan. The Android version of the app was distributed under the package name com.etimadi.testkeyboard.

As part of its ongoing work monitoring digital security threats, surveillance technologies, and high risk applications targeting civil society and vulnerable communities, Raznet’s forensic team conducted a static forensic and security analysis of version 1.4 of the RTA Keyboard Android sample. The findings of that review are presented below.

Background

The technical findings below should be read against two important limits. First, Raznet’s review was a static forensic and security analysis, not a full dynamic malware investigation. Static analysis can identify permissions, embedded secrets, hardcoded endpoints, logging calls, exposed constants, weak hardening, and other security relevant code patterns. It cannot, by itself, prove the app’s full behavior under all runtime conditions, establish who receives data in practice, or confirm that the application is part of an intelligence collection program.

Second, RTA Keyboard is not an ordinary app. Keyboard applications occupy one of the most privileged positions in the mobile ecosystem because they process user input across other apps. Depending on how they are built, they may handle private messages, search queries, names, addresses, political communications, financial details, organizational information, credentials, or recovery phrases. In a high repression environment such as Taliban controlled Afghanistan, that risk is amplified, particularly for journalists, women, civil society workers, dissidents, and other vulnerable users.

Raznet’s static review found that RTA Keyboard contains a hardcoded OpenAI API key in the decompiled application code and uses it to call https://api.openai.com/v1/chat/completions for translation functionality. The app appears to construct prompts from user provided text and send them to OpenAI using an Authorization: Bearer header. In practice, this means that text typed into a keyboard associated with Afghanistan’s state broadcaster may be processed through third party AI infrastructure, a behavior that requires clear disclosure, informed consent, and strict data protection safeguards.

The review also found insecure logging of sensitive operational data, including the API key, API responses, translated text, and error details. This does not prove intentional surveillance, but it increases the exposure surface for sensitive content, especially on rooted or debug enabled devices, during support captures, forensic extraction, or any environment where logs are collected. For a keyboard app, logging processed user text is a serious privacy failure because the data may come directly from private communications.

At the same time, the analyzed sample did not show several classic high risk Android permissions commonly associated with intrusive spyware, including SMS, contacts, camera, microphone, location, accessibility services, or device administrator privileges. The review did not conclusively establish deliberate spyware behavior or covert keylogging. The more precise finding is that RTA Keyboard presents a serious privacy and security risk because it is a keyboard app that transmits user provided text to third party AI infrastructure, handles secrets insecurely, logs sensitive data, and shows weak production hardening.

Methodology

The application was analyzed through static reverse-engineering and manual code review techniques using mobile security tooling, including Foxhound hbx analysis frameworks and decompilation review.

The analyzed sample was distributed as an XAPK package containing a base APK and multiple split configuration APKs. This assessment focused on:

• Application permissions
• Embedded secrets and credentials
• Network communication behavior
• Logging and telemetry practices
• Binary protections and hardening
• Potential privacy and surveillance implications

This review did not include dynamic runtime instrumentation or traffic interception beyond the static analysis scope.

Technical Findings

1. Hardcoded OpenAI API Key Embedded in Application Code

The most severe issue identified during analysis was the presence of a hardcoded OpenAI API key directly embedded within the decompiled application source code.

The application uses this credential to communicate with the OpenAI API endpoint:

https://api.openai.com/v1/chat/completions

The functionality appears to support AI-assisted translation features within the keyboard application.

However, this implementation introduces significant privacy and security concerns because the application constructs prompts directly from user-provided typed text and transmits them to external AI infrastructure using authenticated API requests.

For a keyboard application, this behavior is particularly sensitive because typed content may include:

• Private conversations
• Credentials and passwords
• Financial information
• Personal identifiers
• Political or sensitive communications
• Confidential organizational material

Embedding API secrets directly in client-side applications also represents a major security failure, as such credentials can be trivially extracted through decompilation.

2. Sensitive Data Logging

The application was also found to log sensitive operational and debugging information through Android logging mechanisms.

Observed logged data included:

• API keys
• API responses
• User-provided translated text
• Error messages and debugging details

This significantly increases exposure risk, particularly on:

• Rooted devices
• Debug-enabled devices
• Shared or monitored environments
• Devices subject to forensic extraction
• Environments where log aggregation tools are present

For applications processing keyboard input, logging typed or processed content represents a serious privacy concern.

3. Privacy and Surveillance Risk Considerations

While the application did not request several traditionally high-risk Android permissions such as:

• SMS access
• Contacts access
• Camera access
• Microphone access
• Accessibility privileges
• Device administrator privileges
• Location access

The nature of keyboard applications themselves inherently creates elevated risk.

Keyboard applications operate with privileged access to user input streams. As a result, any transmission, storage, or processing of typed content must be treated as highly sensitive.

The application’s undisclosed transmission of typed content to third-party AI infrastructure raises substantial transparency and consent concerns, particularly in environments where journalists, activists, dissidents, or civil society groups may rely on secure communications.

4. Weak Production Hardening

The application also demonstrated limited binary protections and production hardening measures, including:

• Easy decompilation
• Lack of effective obfuscation
• Exposure of sensitive constants
• Enabled backup behavior
• Limited integrity protections

These weaknesses increase the likelihood of abuse, tampering, credential extraction, and unauthorized analysis of application internals.

Risk Assessment

Based on the findings of this static analysis, we assess the application as presenting a high privacy and security risk for end users.

While this review did not conclusively establish malicious spyware behavior or intentional keylogging operations, the application possesses technical characteristics that create serious surveillance and data exposure concerns.

In particular:

• The application processes highly sensitive keyboard input
• Typed content is transmitted to external AI services
• Sensitive data is logged insecurely
• User transparency appears insufficient
• Embedded secrets demonstrate weak operational security practices

Taken together, these findings create conditions under which sensitive user data could be exposed, intercepted, misused, or collected without meaningful informed consent.

Recommendations

We strongly recommend that users avoid installing or using this application until substantial security and transparency improvements are independently verified.

We further recommend the following remediation measures for the developers and distributors of the application:

Immediate Actions

• Revoke all exposed API credentials immediately
• Remove embedded secrets from client-side code
• Remove sensitive logging functionality
• Publicly disclose all third-party data processing practices

Architectural Changes

• Route AI requests through a secured backend infrastructure
• Implement explicit user consent for external text processing
• Minimize retention and transmission of typed content
• Disable unnecessary backup behaviors

Security Hardening

• Add proper code obfuscation and integrity protections
• Conduct independent third-party security audits
• Publish transparent privacy policies and data handling documentation

Conclusion

Keyboard applications occupy one of the most sensitive positions within the mobile ecosystem because they can access nearly everything a user types.

Our analysis identified multiple security and privacy issues within the RTA Keyboard application that raise significant concerns regarding user safety, transparency, and data protection.

Although the analysis did not conclusively confirm deliberate spyware activity, the identified behaviors and architectural decisions create a high-risk environment for potential misuse, surveillance, or unintended exposure of sensitive user information.

Given the context in which such applications may be deployed, particularly among vulnerable populations, journalists, activists, and civil society actors, we advise against the use of this application until comprehensive remediation and independent security validation are completed.