Recently, FaceApp was widely discussed on the Internet, because the company behind it is Russian, and the app requests permission to access, among other things, photos. It is clear that FaceApp is not malicious, although it raises valid privacy concerns. However, is this just a special case, or should we be concerned about all the apps we use? I am not talking about stalkerware apps, such as the ones we unveiled in the last weeks, but about the millions of seemingly harmless apps that can be found on the Google Play Store.
To answer this question I used our mobile threat intelligence platform apklab.io to research an app hundreds of millions of users use every now and then: flashlight apps. A few years ago, these apps had to be downloaded by the user, in order to turn the phone into a flashlight as the function was not native to devices, but since Android Lollipop, users can turn a flashlight on and off without needing a specific app. However, there are still hundreds of flashlight apps out there.
apklab.io includes thousands of flashlight apps, however we focused on the ones that have once made it to the Google Play Store. In total I found 937 flashlight Android applications that either once made it on the store or are still available there , seven of which are considered malicious or at least potentially unwanted, which means that most of these apps are “clean”.
Now, one would think the permissions needed by these apps would be limited just to accessing the phone’s flashlight, the Internet, for the app can show in-app advertisements, and access to the lock screen, so the app can turn the flashlight on and off without having to unlock the phone. However, the alarming truth is that the average number of permissions requested by a flashlight app is 25(!).
There might be variables average users are not aware of and that are needed for these apps to work, but if 408 of the apps need just 10 permissions or less, which seems fairly reasonable, how come there are 262 apps that require 50 permissions or more (up to 77 of those still active today)? Maybe these apps provide more functionalities and thus require more permissions. The concern should not just be around the amount of permissions, but around what we give apps access to.
Top 10 of apps active on Google Play requesting most permissions
|No.||App Name||Permissions Count||Number of Downloads|
|1||Ultra Color Flashlight||77||100,000|
|2||Super Bright Flashlight||77||100,000|
|4||Brightest LED Flashlight — Multi LED & SOS Mode||76||100,000|
|5||Fun Flashlight SOS mode & Multi LED||76||100,000|
|6||Super Flashlight LED & Morse code||74||1,000,000|
|7||FlashLight – Brightest Flash Light||71||1,000,000|
|8||Flashlight for Samsung||70||500,000|
|9||Flashlight – Brightest LED Light & Call Flash||68||1,000,000|
|10||Free Flashlight – Brightest LED, Call Screen||68||500,000|
Believe me when I say that some of the permissions requested by the flashlight apps are really hard to explain, like the right to record audio, requested by 77 apps; read contact lists, requested by 180 apps, or even write contacts, which 21 flashlight apps request permission to do. There are even more outrageous permissions requested, as can be seen in the list below:
Taking a close look at some of these, permissions like KILL_BACKGROUND_PROCESSES, are very powerful and can be abused for malicious purposes, for example, it could be used to kill a security app. However, the use case of some flashlight apps is to reduce the battery consumption, so you can use the app longer.
To see an example of what these apps are doing, I selected one of them, called “Flashlight”, from July 15th 2019. The app is a typical flashlight app, with expected functionalities:
Nothing special, so one would assume that it will request a limited number of permissions. In fact, the app developer explicitly points this out the app’s Google Play page:
You can’t always trust what you read. The app actually requests 61 permissions. In apklab.io I processed and grouped them to see if there are some security risks. It’s important to keep in mind that just because an app requests these permissions does not make it malicious, but it does mean if users grant these permissions, the app is capable of doing the following:
Here you can see all the information provided by apklab.io. App developers often opt to work with partners, to show ads or monetize otherwise, in order to offer their apps for free. In addition to displaying ads, there are other, less visual ways, that allow partners to make money: gathering data.
I cross referenced the information in apklab.io to find apps that show the exact same activities that the ones shown in the previous screenshot request, and I found 208 APKs that request these permissions. Most of APKs are different versions of the same app, and right now there are ten apps on the Google Play Store with more than two million downloads.
There are five different developer groups behind these apps, according to the Developer ID shown on the Google Play Store, however, according to my research I can confirm that at least some of them are the same, just using a different Developer ID. This appears to be a developer or group of developers with a monetization system, harvesting users’ data and sharing the data with partners
There is a big gray area when it comes to apps like these, which is why we do not mark them all as malicious. While they do request outlandish permissions, they do not carry out any malicious actions and they are asking users for these permissions. However, that doesn’t mean they are completely innocent or that third-parties aren’t harvesting data from users devices, but again, when a user installs an app, they grant the app and any third-parties associated with it, the right to carry out actions the app lists in the permissions section.
It is therefore imperative that users carefully check the permissions an app requests, before installing the app.