An analysis of Android flashlight applications available in Google Play has revealed that they request an average of 25 permissions, with some requesting up to 77 permissions when installed.
Several years ago, users had to download and install flashlight applications on their devices, but Android now includes the functionality natively. However, flashlight applications continue to exist, and there are hundreds of them.
An investigation performed by Avast’s security researchers has revealed a total of 937 flashlight Android applications that either were once available in the official app store, or continue to be so. Of these, only 7 are considered malicious or potentially unwanted.
While the remaining hundreds of apps should be considered clean and safe, the large number of permissions they request at installation is staggering.
Of the analyzed apps, 408 request just 10 permissions or less, which seems fairly reasonable. However, there are 262 apps that ask for 50 permissions or more (up to 77). Thus, the average number of permissions requested by a flashlight app is 25.
“The concern should not just be around the amount of permissions, but around what we give apps access to,” Avast researcher Luis Corrons notes.
Some of the requested permissions, however, are difficult to explain for flashlight applications, the security researcher says.
For example, 77 of the applications request permission to record audio, 180 request permission to read contact lists, and 21 of them want to be able to write contacts.
Other applications also want to be able to get tasks, kill background processes, make phone calls, access location, access Bluetooth, process outgoing or incoming calls, answer calls, receive SMS, get accounts, authenticate accounts, or download content without notifying the user.
“Taking a close look at some of these, permissions like KILL_BACKGROUND_PROCESSES, are very powerful and can be abused for malicious purposes, for example, it could be used to kill a security app,” Corrons points out.
One of the analyzed apps, the researcher discovered, had the aforementioned permissions and could also check if the phone is rooted, execute external code, get operator information, change network state, check the installed apps, gain persistence, check for emulators, draw on top of other apps, read and write to external storage, and hide the app icon.
Called “Flashlight”, the app is from July 15, 2019, and requests a total of 61 permissions, but is not the only one to do so. The expert discovered a total of 208 APKs that request the same permissions, most being different versions of the same app.
“Right now there are ten apps on the Google Play Store with more than two million downloads,” the researcher notes.
While the Developer IDs in Google Play suggest there are five different developer groups behind these apps, Corrons discovered that at least some of them are the same, just using a different Developer ID.
“This appears to be a developer or group of developers with a monetization system, harvesting users’ data and sharing the data with partners,” the researcher warns.
While these apps can’t be considered outright malicious, the outlandish permissions they request suggests that they are not innocent either. In fact, they might be used for harvesting data from users’ devices and delivering it to third-parties, which makes it imperative for users to carefully check the permissions an app requests, before installing the app.
Related: Researchers Find 17,490 Anubis Android Malware Samples
Related: Researchers Discover Android Surveillance Malware Built by Sanctioned Russian Firm