Researchers analyze 937 flashlight apps and find permission requests that could expose users
Avast researchers have found that Android flashlight applications request an average of 25 permissions to access data or features on mobile devices, potentially exposing users in unnecessary ways.
Using apklab.io, Avast’s mobile threat intelligence platform, Avast analyzed the permissions requested by 937 flashlight apps currently or previously on the Google Play Store. Out of these, 408 request 10 permissions or less, 267 request between 11 and 49 permissions, and 262 apps request between 50 and 77 permissions.
Applications can request permissions to access data or features on devices they need in order to function properly. For example, a flashlight application needs access to the phone’s flash in order to use it as a flashlight. However, many applications request access to more permissions than they actually need.
“Some of the permissions requested by the flashlight applications we looked into are really hard to explain, like the right to record audio,” said Luis Corrons, a security evangelist at Avast. Seventy-seven apps request that ability, Corrons said. “The flashlight apps we looked into are just an example of how even the simplest apps can access personal data, and it’s often not just the app developers that gain access to data when users download an app, but the ad partners they work with to monetize. Developer privacy policies are unfortunately not inclusive, as in many cases, further privacy policies from third-parties are linked within them.”
|App name||Permissions requested||Downloads|
|Ultra Color Flashlight||77||100,000|
|Super Bright Flashlight||77||100,000|
|Brightest LED Flashlight -- Multi LED & SOS Mode||76||100,000|
|Fun Flashlight SOS mode & Multi LED||76||100,000|
|Super Flashlight LED & Morse code||74||1,000,000|
|FlashLight – Brightest Flash Light||71||1,000,000|
|Flashlight for Samsung||70||500,000|
|Flashlight - Brightest LED Light &Call Flash||68||1,000,000|
|Free Flashlight – Brightest LED, Call Screen||68||500,000|
Apps may request inappropriate permissions, but that does not necessarily mean they carry out malicious activities. When a user installs an app, they grant the app and any third-parties associated with it the right to carry out actions the app lists in the permissions section. App developers often integrate ad software development kits (SDKs) into their code to earn money from advertisers. To allow these SDKs to target users with ads, the apps request permissions.
Users can protect themselves by carefully checking the permissions an app requests before installing it, and by reading privacy policies, terms and conditions, and user reviews on the app’s download page. Most phones today include built-in flashlight apps, so there may be no reason to install another.
A full analysis of the flashlight apps can be found on the Avast Decoded blog.
Avast Threat Intelligence has identified a new advanced persistent threats (APT) campaign targeting government agencies and a government data center in Mongolia.
Our Aposemat Team has been testing the capabilities of IPv6 and how malware could take advantage of it. One of the topics explored was exfiltration of data via the IPv6 protocol, which we discuss in this post.
Popular banking services, including PayPal, Revolut and Venmo, allow users to request money from others with a few easy steps. Although simple, this functionality could increase the likelihood of related spearphishing attacks.