Press releases

Avast Finds Flashlight Apps on Google Play Requesting Up to 77 Permissions

Avast researchers found flashlight apps request 25 permissions on average

Avast researchers found flashlight apps request 25 permissions on average


Prague, Czech Republic, September 10, 2019Avast [LSE: AVST], a global leader in digital security products, has found that Android flashlight applications request an average of 25 permissions. Using apklab.io, Avast’s mobile threat intelligence platform, Avast analyzed the permissions requested by 937 flashlight apps that either once made it onto the Google Play Store or are still available on the Store. Out of these, 408 request 10 permissions or less, 267 request between 11 and 49 permissions, and 262 apps request between 50 and 77 permissions. 

Apps taking their right to request permissions too far 

Applications can request permissions to access data or features on devices they need in order to function properly. For example, a flashlight application needs access to the phone’s flash in order to use it as a flashlight. However, many applications request access to more permissions than they actually need.

“Some of the permissions requested by the flashlight applications we looked into are really hard to explain, like the right to record audio, requested by 77 apps; read contact lists, requested by 180 apps, or even write contacts, which 21 flashlight apps request permission to do,” says Luis Corrons, Security Evangelist at Avast. “The flashlight apps we looked into are just an example of how even the simplest apps can access personal data, and it’s often not just the app developers that gain access to data when users download an app, but the ad partners they work with to monetize. Developer privacy policies are unfortunately not inclusive, as in many cases, further privacy policies from third-parties are linked within them.”

Top 10 of apps active on Google Play requesting most permissions

 

No.

App Name

Permissions count

Number of downloads

1

Ultra Color Flashlight

77

100,000

2

Super Bright Flashlight

77

100,000

3

Flashlight Plus

76

1,000,000

4

Brightest LED Flashlight -- Multi LED & SOS Mode

76

100,000

5

Fun Flashlight SOS mode & Multi LED

76

100,000

6

Super Flashlight LED & Morse code

74

1,000,000

7

FlashLight – Brightest Flash Light

71

1,000,000

8

Flashlight for Samsung

70

500,000

9

Flashlight - Brightest LED Light &Call Flash

68

1,000,000

10

Free Flashlight – Brightest LED, Call Screen

68

500,000

 

Permissions in a gray area

There is a gray area when it comes to flagging apps requesting too many permissions as malicious or potentially unwanted, as users themselves grant the permissions, which is why many security solutions do not mark them as malicious. Apps can request outlandish permissions, but that does not mean they carry out malicious activities, per se. When a user installs an app, they grant the app and any third-parties associated with it, the right to carry out actions the app lists in the permissions section. App developers often integrate ad software development kits (SDKs) into their code to earn money from advertisers. To allow these SDKs to target users with ads, the apps request countless amounts permissions.

It is therefore imperative that users carefully check the  permissions an app requests, before installing the app. Furthermore, users should carefully read the privacy policies and terms and conditions, as well as user reviews on the app’s download page. 

A full analysis of the flashlight apps can be found on the Avast Decoded blog.