A new report claims that Android flashlight apps are requesting a large number of permissions on every install, giving them access to huge amounts of device information. For example, 180 different flashlight apps request access to your contacts list.
A report from Avast Security claims that hundreds of Android flashlight apps are requesting a large number of device permissions that are not needed, gaining in-depth access to users devices. Avast Security Evangelist Luis Corrons stated that he tested all of the Android flashlight apps that were on the Google Play Store, totaling 937 different apps. Seven were reportedly outright malicious apps designed to infect users phones with viruses, but many others requested a startling amount of device access.
Corrons states in his report:
Now, one would think the permissions needed by these apps would be limited just to accessing the phone’s flashlight, the Internet, for the app can show in-app advertisements, and access to the lock screen, so the app can turn the flashlight on and off without having to unlock the phone. However, the alarming truth is that the average number of permissions requested by a flashlight app is 25(!).
There might be variables average users are not aware of and that are needed for these apps to work, but if 408 of the apps need just 10 permissions or less, which seems fairly reasonable, how come there are 262 apps that require 50 permissions or more (up to 77 of those still active today)? Maybe these apps provide more functionalities and thus require more permissions. The concern should not just be around the amount of permissions, but around what we give apps access to.
The report includes a breakdown of some of the permissions requested by the flashlights apps, with many requesting access to users contact lists, to make phones calls and access users locations.
Corrons notes that the KILL_BACKGROUND_PROCESSES command can be used to stop security apps, however, some flashlight apps may use it to stop other applications to lower battery consumption allowing the flashlight to operate for longer. Corrons states in his report:
There is a big gray area when it comes to apps like these, which is why we do not mark them all as malicious. While they do request outlandish permissions, they do not carry out any malicious actions and they are asking users for these permissions. However, that doesn’t mean they are completely innocent or that third-parties aren’t harvesting data from users devices, but again, when a user installs an app, they grant the app and any third-parties associated with it, the right to carry out actions the app lists in the permissions section.
Read the full report here.