Hundreds of Android flashlight apps are requesting a large number of permissions on every install, and in the vast majority of cases, without providing the needed functionality in return.
Avast Security Evangelist Luis Corrons said he tested all the Android flashlight apps that were ever uploaded on the Play Store. In total, he found 937 apps, seven of which were downright malicious.
Of the rest, Corrons said, the vast majority requested a large number of permissions, with the average being of 25 permissions per app.
The number seems small, but it's actually pretty big. Flashlight apps don't need so many permissions. They aren't even needed anymore by the vast majority of Android users, let alone be justified to ask for more than a couple of permissions.
Flashlight apps were all in the rage in Android's early days, when developers figured out they could convert a phone's camera blitz into an always-on flashlight. However, since 2014, Android 5 (Lollipop) comes with a built-in flashlight feature.
Users with modern smartphones don't need flashlight apps, but users with older devices are still relying on them. However, the number of permissions some of these flashlight apps are requesting is bordering the absurd.
"There might be variables average users are not aware of and that are needed for these apps to work, but if 408 of the apps need just 10 permissions or less, which seems fairly reasonable, how come there are 262 apps that require 50 permissions or more," Corrons said in a report published this week.
The Avast researcher said he found 77 flashlight apps that requested more than 50 permissions, which is about a third of the total number of permissions the Android OS supports.
The champions were two apps that requested 77 permissions, followed by another three, which requested 76.
|No.||App Name||Permissions Count||Number of Downloads|
|1||Ultra Color Flashlight||77||100,000|
|2||Super Bright Flashlight||77||100,000|
|4||Brightest LED Flashlight — Multi LED & SOS Mode||76||100,000|
|5||Fun Flashlight SOS mode & Multi LED||76||100,000|
|6||Super Flashlight LED & Morse code||74||1,000,000|
|7||FlashLight – Brightest Flash Light||71||1,000,000|
|8||Flashlight for Samsung||70||500,000|
|9||Flashlight – Brightest LED Light & Call Flash||68||1,000,000|
|10||Free Flashlight – Brightest LED, Call Screen||68||500,000|
But while Corrons said that some apps appeared to justifiy some of the permissions they asked for, these were only an exception to the rule.
"Believe me when I say that some of the permissions requested by the flashlight apps are really hard to explain, like the right to record audio, requested by 77 apps; read contact lists, requested by 180 apps, or even write contacts, which 21 flashlight apps request permission to do," Corrons said.
Further, the Avast researcher also found tens or even hundreds of other flashlight apps requesting other, equally dangerous permissions, such as the ability to kill background processes, place phone calls, handle SMS messages, access geo-location data, or trigger downloads without notifying the user.
Many of these permissions are often utilized by malware, and can be easily weaponized against users.
This, in fact, has been the modus operandi of many malware gangs operating on the Play Store, for years. Their tactics rely on gaining users' trust by delivering simplistic and innocent-looking apps, and then turning the apps into malware, all of a sudden, at a later date, through an update.
An incident like this happened just last month, when security researchers from Kaspersky discovered that a popular app with over 100 million users had suddenly turned into adware after an update.
Something like this can happen at any time with any of these flashlight apps, which can all turn malicious after an update, security researcher John Opdenakker told ZDNet in an interview.
"Even if the intent might not be malicious at the moment of installation, this could change over time and all kinds of harm can be done," Opdenakker said. "For instance your phone might get infected with malware or data can be stolen."
Opdenakker, just like all the countless other security researchers before him, recommends that users pay attention to the permissions apps request or list on their Play Store pages.
"Google doesn't have a good reputation when it comes to keeping malware out of its Play Store," he said. "Be wary that apps that ask for excessive permissions. Could be a sign that they are malicious."
"Checking the permissions apps request before we install them is a must, and if we do not understand or do not feel comfortable with them, they should not be installed," Corrons, the Avast researcher who looked into the Play Store flashlight apps, also added.
The researcher also gave another sound advice -- that users don't trust what they read in an app's Play Store page description.
Corrons said he found an app that claimed on its Play Store description that it "has no unnecessary permissions," yet it proceeded to request 61 permissions when Corrons tested it.