Skip to content ↓ | Skip to navigation ↓

Our smartphones have become a tool that most of us admit we could not live without. After only a few taps on our screen, we can monitor our inbox, our bank account, our social media networks and now, even our homes.

What we often don’t realize, however, is the amount of personal information our phones actually store and how easily accessible we make this data, not only for ourselves, but for others, too. A recent Android study proves many of us are likely not careful enough.

A group of researchers at Snoopwall—a technology solution that detects and blocks spyware and malware on a variety of platforms—found that the most widely used flashlight apps are furtively stealing personal information stored on users’ mobile devices.

According to the company’s Threat Assessment Report, the top 10 searched flashlight apps in the Google Play Store all perform functions that surpass the basic needs of what flashlight apps should be executing.

flash
Screenshot of “flashlight app” keyword search in Google Play, displaying all malicious flashlight apps detected thus far.

These seemingly harmless apps, which have accumulated half a billion downloads, have put the privacy and security of users at risk simply by requesting overzealous permissions that users unknowingly adhere to, including permission to:

  • Modify or delete the contents of your USB storage
  • Change system display settings
  • Precise location (GPS and network-based)
  • Write Home settings and shortcuts
  • View all network connections

For Ken Westin, a security researcher at Tripwire, this is all too familiar: “There is little vetting of applications before they are deployed. When you install an Android app, it shows you what it has permissions to access, but most people ignore it and just click next to get the app installed. There are a lot of free apps that have permissions on devices they shouldn’t, even ‘security’ applications.”

Some users might have felt safe downloading the apps because they installed them using Google Play and not a third-party site but as Tripwire CTO Dwayne Melancon explains, that doesn’t make an app any more secure.

“Android is pretty ‘Wild Wild West’ because the apps are not well curated,” said Melancon. “People often misunderstand the warning not to download apps from unknown or trusted sources. They’ll say, ‘I got it off the Play store—I trust that source’ without realizing the unknown and untrusted author of the app is the actual source.”

For the short term, users are encouraged to uninstall any of the malicious flashlight apps listed here. If your app is able to modify your phone’s storage and/or write settings, it is recommended that you reset your phone. A factory reset and/or complete wipe might be necessary.

Going forward, users are recommended to follow a number of best practices that optimize both their privacy and security on their mobile devices, such as:

  1. Disabling GPS, except when traveling or in the event of an emergency
  2. Disabling Near Field Communications (or iBeacon for Apple devices) permanently
  3. Disabling Bluetooth, except when making a hands-free call while driving
  4. Covering the microphone and/or webcam with tape when neither is in use

Most importantly, however, users need to begin looking at the permissions their apps request of them more closely. We should all be using common sense to ask whether a particular app needs access to the information it wants. If it doesn’t, we’re better off doing some research online and looking for safer alternatives, like this privacy flashlight developed by Snoopwall.

Common sense goes a long way in protecting ourselves online and on our phones, and it’s up to us to accept that responsibility.

 

RELATED ARTICLES:

RESOURCES:

picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the ShellShock and Heartbleed vulnerability.

picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

Image courtesy of ShutterStock

Hacking Point of Sale
  • Rini

    Every time I install a free app and it requests seemingly unnecessary permissions, I hesitate. But since there is no way in playstore to selectively block/allow permissions, and since everyone I know have used the app, I finally install them. I am glad some research has been done on this and probably future apps will have more fine-grained permissions that can be changed after installation also.

  • Really

    Just about every app on my phone has the ability to read and write to the usb storage. If that is the criteria for a malicious app then they all are.

  • YouAreAtTool

    Gee, thanks for the unrealistic recommendations…

  • DVAPPS
  • This has given rise to the need for mobile security tools that can lock applications from unauthorized use. The unauthorized access can not only be a result of theft but can also be due to prying friends and snoopy co-workers. With mobile security tools installed, you can hand over the phone to anyone, even a stranger for example to make a phone call, without worrying that they will snoop around the minute you turn your back.

  • Thank you David for these awesome infos and tips to protect mobiles from not certified apps, i'll think twice next time i'll download an app.