Google has been tightening up its security checks for applications on the Play Store for quite a while. Yet, these efforts do not really seem fruitful with regardk to permissions that applications request. Recently, researchers have spotted numerous Android flashlight apps seeking weird device permissions.
Android Flashlight Apps Requiring Needless Permissions
Researcher from Avast, Luis Corrons, has pointed out hundreds of Android Flashlight apps seeking unnecessary permissions. Elaborating the details in a blog post, the researcher stated that he found these flashlight applications requesting permissions which seem unrelated to the apps’ functionality. As stated in his blog post,
One would think the permissions needed by these apps would be limited just to accessing the phone’s flashlight, the Internet, for the app can show in-app advertisements, and access to the lock screen, so the app can turn the flashlight on and off without having to unlock the phone. However, the alarming truth is that the average number of permissions requested by a flashlight app is 25(!).
He tested 937 flashlight apps that once existed or still exist on the Play Store. While he noticed 7 of such apps having unwanted behavior, the rest 930 were seemingly ‘clean’. Yet, most of them required needless access to device functionalities. Specifically 408 tested apps requested 10 or fewer permissions. Whereas, around 262 of these apps requested as many as 50 permissions, of which 77 are still active on the Play Store.
What’s more alarming is that there are some apps that request as many as 77 permissions.
Apps Requesting Most Permissions
No. | App Name | Permissions Count | Number of Downloads |
1 | Ultra Color Flashlight | 77 | 100,000 |
2 | Super Bright Flashlight | 77 | 100,000 |
3 | Flashlight Plus | 76 | 1,000,000 |
4 | Brightest LED Flashlight — Multi LED & SOS Mode | 76 | 100,000 |
5 | Fun Flashlight SOS mode & Multi LED | 76 | 100,000 |
6 | Super Flashlight LED & Morse code | 74 | 1,000,000 |
7 | FlashLight – Brightest Flash Light | 71 | 1,000,000 |
8 | Flashlight for Samsung | 70 | 500,000 |
9 | Flashlight – Brightest LED Light & Call Flash | 68 | 1,000,000 |
10 | Free Flashlight – Brightest LED, Call Screen | 68 | 500,000 |
According to Corrons, the purpose of such permissions for a flashlight app are ‘hard to explain’. These include,
Upon further investigation of the apps, the researcher believes that most of these apps link back to only a few developers. Moreover, some of these merely had different Developer IDs.
This appears to be a developer or group of developers with a monetization system, harvesting users’ data and sharing the data with partners.
Make Sure To Check App Permissions
While most of the apps analyzed by the researcher did not seem malicious. The extent of permissions these apps require is certainly alarming. A user may never figure out when a once legit application turns malicious and starts abusing user’s data. Recently, Google has removed one such app, CamScanner, that started delivering adware after existing on the Play Store for 8 years.
Before installing any application one must review the permissions an app asks. It is better to stay cautious rather than becoming a victim of a malware attack later.
This isn’t the first time that Android apps seek explicit device access. A few months ago, researchers highlighted numerous Android VPN apps requesting dangerous permissions.
Let us know your thoughts in the comments.