An Avast security researcher has issued a warning imploring Android owners to remove some 937 Android flashlight apps found the Google Play Store. He found that on average, each of these apps requested 25 separate system permissions for unknown purposes, while some requested more than 70. Time to do some spring cleaning, methinks.
In a blog post entitled Flashlight Apps on Google Play Request Up to 77 Permissions, Avast Security Evangelist Luis Corrons explains why you should probably do away with third-party flashlight apps and stick with Android’s inbuilt offering instead. The reason is the astonishing number of permissions they require to enable installation.
Corrors assessed more than 930 flashlight Android applications and found that well over half required at least 11 permissions – and usually much more.
“One would think the permissions needed by [flashlight] apps would be limited just to accessing the phone’s flashlight, the internet and access to the lock screen, so the app can turn the flashlight on and off without having to unlock the phone. However, the alarming truth is that the average number of permissions requested by a flashlight app is 25,” Corrons said.
“Some of the permissions requested by the flashlight apps are really hard to explain, like the right to record audio, requested by 77 apps; read contact lists, requested by 180 apps, or even write contacts, which 21 flashlight apps request permission to do.”
Disturbingly, some of the apps required the KILL_BACKGROUND_PROCESSES permission. As Corrons points out, this could potentially be used to kill a security app without the user knowing.
Below are the ten flashlight apps that requested the most permissions. As you can see, while some have only been downloaded a few dozen times, others have managed to amass over a million customers. If you have a flashlight app on your phone right now, there’s a fair chance it’s one of these.
Top 10 apps requesting most permissions
|App Name||Permissions Count||Number of Downloads|
|Ultra Color Flashlight||77||100,000|
|Super Bright Flashlight||77||100,000|
|Brightest LED Flashlight — Multi LED & SOS Mode||76||100,000|
|Fun Flashlight SOS mode & Multi LED||76||100,000|
|Super Flashlight LED & Morse code||74||1,000,000|
|FlashLight – Brightest Flash Light||71||1,000,000|
|Flashlight for Samsung||70||500,000|
|Flashlight – Brightest LED Light & Call Flash||68||1,000,000|
|Free Flashlight – Brightest LED, Call Screen||68||500,000|
To be fair, just because an app requests a stack of permissions does not make it malicious. But do you really want to place your trust in a ‘FREE!’ flashlight app from an unknown source? As the adage goes, when something is free, you are the product.
Needless to say, you should always check app permissions carefully before hitting the install button. If a simple on/off flashlight application requests 70 permissions – or even half that number – you should definitely look elsewhere. You can read Corrons’ full report at the link below.
Users of the newsletter management app Unroll.me have been left outraged after discovering the service was “secretly” mining and selling their data to Uber – specifically, email receipts from rival company Lyft.