Threat Research

Flashlight apps on Google Play request up to 77 permissions each, Avast finds

Threat Intelligence Team, 10 September 2019

Researchers analyze 937 flashlight apps and find permission requests that could expose users

Avast researchers have found that Android flashlight applications request an average of 25 permissions to access data or features on mobile devices, potentially exposing users in unnecessary ways.

Using apklab.io, Avast’s mobile threat intelligence platform, Avast analyzed the permissions requested by 937 flashlight apps currently or previously on the Google Play Store. Out of these, 408 request 10 permissions or less, 267 request between 11 and 49 permissions, and 262 apps request between 50 and 77 permissions. 

Applications can request permissions to access data or features on devices they need in order to function properly. For example, a flashlight application needs access to the phone’s flash in order to use it as a flashlight. However, many applications request access to more permissions than they actually need.

“Some of the permissions requested by the flashlight applications we looked into are really hard to explain, like the right to record audio,” said Luis Corrons, a security evangelist at Avast. Seventy-seven apps request that ability, Corrons said. “The flashlight apps we looked into are just an example of how even the simplest apps can access personal data, and it’s often not just the app developers that gain access to data when users download an app, but the ad partners they work with to monetize. Developer privacy policies are unfortunately not inclusive, as in many cases, further privacy policies from third-parties are linked within them.”

Most permission requests among Google Play flashlight apps

App name Permissions requested Downloads 
Ultra Color Flashlight 77 100,000
Super Bright Flashlight 77 100,000
Flashlight Plus 76 1,000,000
Brightest LED Flashlight -- Multi LED & SOS Mode 76 100,000
Fun Flashlight SOS mode & Multi LED 76 100,000
Super Flashlight LED & Morse code 74 1,000,000
FlashLight – Brightest Flash Light 71 1,000,000
Flashlight for Samsung 70 500,000
Flashlight - Brightest LED Light &Call Flash 68 1,000,000
Free Flashlight – Brightest LED, Call Screen 68 500,000

Apps may request inappropriate permissions, but that does not necessarily mean they carry out malicious activities. When a user installs an app, they grant the app and any third-parties associated with it the right to carry out actions the app lists in the permissions section. App developers often integrate ad software development kits (SDKs) into their code to earn money from advertisers. To allow these SDKs to target users with ads, the apps request permissions.

Users can protect themselves by carefully checking the permissions an app requests before installing it, and by reading privacy policies, terms and conditions, and user reviews on the app’s download page. Most phones today include built-in flashlight apps, so there may be no reason to install another. 

A full analysis of the flashlight apps can be found on the Avast Decoded blog