Tom`s Hardware journalists analyzed this problem and concluded that users were right, actually. The Cloud Driver utility collects the data and then transmits them on the remote server of Alibaba Group.
It appears that a developer doesn`t monitor all keystrokes but counts the keystrokes of every separate keyboard button. Perhaps, it`s a way to collect the statistics about “the life cycles” of certain devices.
The collected data aren`t decrypted and sent to the Chinese server as a plain text to 22.214.171.124 address where cms/json/putkeyusedata.php and /cms/json/putuserevent.php are stored (see the illustration below; it was published by one of the users of such infected keyboard).
There is no official information about the keylogger functions affected ManisTek keyboard. Besides, the company representatives turned a blind eye to journalists` query. Moreover, many companies exploit the cloud services of Alibaba Group, including Google and Amazon ones. So, the data receiver remains unknown.
Specialists advice do not use potentially insecure keyboards. However, one can block the keylogger activity if he assured himself that MantisTek Cloud Driver utility isn`t run in the background. One more way is to block the CMS.exe at the Firewall level.