An Avast researcher shed some light on the number and invasiveness of the permissions requested by various publishers to download and install their flashlight app.
The security firm’s analyst Luis Corrons looked at 937 Android flashlight apps available and found on average each required 25 permissions ranging from the basic and obvious need to access the flash to those that were harder to understand, such as, the right to record au dio, read contact lists or to kill background processes. Corrons could point to three permissions that are truly required, flash access, Internet access and screen lock.
Almost half of the apps required 10 permissions or less, but 262 demanded 50 or more permissions with two topping out at 77.
“Taking a close look at some of these, permissions like KILL_BACKGROUND_PROCESSES, are very powerful and can be abused for malicious purposes, for example, it could be used to kill a security app. However, the use case of some flashlight apps is to reduce the battery consumption, so you can use the app longer,” Corrons wrote.
On top of requesting unneeded permissions Corrons found apps that flat out lied in their descriptions saying they required no unnecessary permissions, but in fact asked for dozens.
Corrons noted that just because the permissions are requested does not mean the apps are malicious.
“However, that doesn’t mean they are completely innocent or that third-parties aren’t harvesting data from users devices, but again, when a user installs an app, they grant the app and any third-parties associated with it, the right to carry out actions the app lists in the permissions section,” he said.