Hundreds Of Android Flashlight Apps Demand Unnecessary Permissions

Google has been tightening up its security checks for applications on the Play Store for quite a while. Yet, these efforts do not really seem fruitful with regardk to permissions that applications request. Recently, researchers have spotted numerous Android flashlight apps seeking weird device permissions.

Android Flashlight Apps Requiring Needless Permissions

Researcher from Avast, Luis Corrons, has pointed out hundreds of Android Flashlight apps seeking unnecessary permissions. Elaborating the details in a blog post, the researcher stated that he found these flashlight applications requesting permissions which seem unrelated to the apps’ functionality. As stated in his blog post,

One would think the permissions needed by these apps would be limited just to accessing the phone’s flashlight, the Internet, for the app can show in-app advertisements, and access to the lock screen, so the app can turn the flashlight on and off without having to unlock the phone. However, the alarming truth is that the average number of permissions requested by a flashlight app is 25(!).

He tested 937 flashlight apps that once existed or still exist on the Play Store. While he noticed 7 of such apps having unwanted behavior, the rest 930 were seemingly ‘clean’. Yet, most of them required needless access to device functionalities. Specifically 408  tested apps requested 10 or fewer permissions. Whereas, around 262 of these apps requested as many as 50 permissions, of which 77 are still active on the Play Store.

What’s more alarming is that there are some apps that request as many as 77 permissions.

Apps Requesting Most Permissions
No. App Name Permissions Count Number of Downloads
1 Ultra Color Flashlight 77 100,000
2 Super Bright Flashlight 77 100,000
3 Flashlight Plus 76 1,000,000
4 Brightest LED Flashlight — Multi LED & SOS Mode 76 100,000
5 Fun Flashlight SOS mode & Multi LED 76 100,000
6 Super Flashlight LED & Morse code 74 1,000,000
7 FlashLight – Brightest Flash Light 71 1,000,000
8 Flashlight for Samsung 70 500,000
9 Flashlight – Brightest LED Light & Call Flash 68 1,000,000
10 Free Flashlight – Brightest LED, Call Screen 68 500,000

According to Corrons, the purpose of such permissions for a flashlight app are ‘hard to explain’. These include,

Source: Avast

Upon further investigation of the apps, the researcher believes that most of these apps link back to only a few developers. Moreover, some of these merely had different Developer IDs.

This appears to be a developer or group of developers with a monetization system, harvesting users’ data and sharing the data with partners.

Make Sure To Check App Permissions

While most of the apps analyzed by the researcher did not seem malicious. The extent of permissions these apps require is certainly alarming. A user may never figure out when a once legit application turns malicious and starts abusing user’s data. Recently, Google has removed one such app, CamScanner, that started delivering adware after existing on the Play Store for 8 years.

Before installing any application one must review the permissions an app asks. It is better to stay cautious rather than becoming a victim of a malware attack later.

This isn’t the first time that Android apps seek explicit device access. A few months ago, researchers highlighted numerous Android VPN apps requesting dangerous permissions.

Let us know your thoughts in the comments.

Related posts

GoPlus’s Latest Report Highlights How Blockchain Communities Are Leveraging Critical API Security Data To Mitigate Web3 Threats

C2A Security’s EVSec Risk Management and Automation Platform Gains Traction in Automotive Industry as Companies Seek to Efficiently Meet Regulatory Requirements

ZenHammer Memory Attack Exploits Rowhammer Against AMD CPUs