Startling investigation finds that simple flashlight apps on Android request up to 77 permissionsBGR — Andy Meek
Even though a flashlight capability is now native to the latest smartphones, if you search long enough you can still find hundreds of flashlight apps on the Google Play Store. Apps like Ultra Color Flashlight, Flashlight Plus, Brightest LED Flashlight — Multi LED & SOS Mode, and Fun Flashlight SOS mode & Multi LED — all of which have some interesting things in common.
As noted in a post this week on the Avast Decoded threat intelligence blog, those apps have all racked up at least 100,000 downloads. The exception is Flashlight Plus which, according to the blog’s data, has amassed 1 million. More worrisome, however, is this fact: They each request what seems to be way, way too many permissions. As many as 77, to be exact.
Sounds strange, right? After all, a flashlight app would seem to have a pretty limited purpose — to give the user the functionality of, er, a flashlight.
The Avast blog takes a deep dive into the sketchy nature of app permission requests from a total of 937 flashlight apps that certainly raise some eyebrows. One would think, the blog notes, that the permissions these apps need would be limited to things like accessing the phone’s flashlight; accessing the Internet, to show in-app advertisements; and accessing the lock screen, so the app can turn the flashlight on and off without needing the phone to be unlocked. “However,” the Avast team continues, “the alarming truth is that the average number of permissions requested by a flashlight app is 25(!).”
From the blog post: “Believe me when I say that some of the permissions requested by the flashlight apps are really hard to explain, like the right to record audio, requested by 77 apps; read contact lists, requested by 180 apps, or even write contacts, which 21 flashlight apps request permission to do.”
The whole post is worth a read and serves as a reminder to be wary about app downloads — specifically, about being too cavalier when it comes to apps you aren’t sure about.
To underscore that reminder, the Avast team takes just one app as an example, an app called Flashlight from July 15, 2019. The app helpfully offers up its features, like an “easy-to-use operation and beautiful design.” Per the blog post, on the app’s Play Store page, the app even adds: “This Flashlight is completely free and has no unnecessary permissions. Being the brightest LED flashlight in the world with only a very small package for you to install!”
Sigh. The Avast team actually found the app to be requesting a grand total of 61 permissions — including the ability to make a phone call and to change your network state.