Fact Check

Flashlight Apps Harbor Data-Stealing Malware?

Flashlight apps could harbor furtive code to steal your personal data and send it to foreign cybercriminals, but so could any phone app.

Published Oct. 1, 2014

Claim:
Flashlight apps harbor furtive code to steal your personal data and send it to foreign cybercriminals.

On 1 October 2014, cybersecurity company SnoopWall released a "threat assessment report" discussing flashlight apps for Android devices and security threats they may pose. Although the report was released to the accompaniment of alarmist news stories about how some flashlight apps could potentially access banking information and cell phone video cameras and send users' personal information to cybercriminals abroad in India, China, and Russia, the SnoopWall report itself neither stated nor offered evidence that such activity was taking place. That report merely charted the permissions accessed by the top ten Android flashlight apps and offered some tips about "best practices for increasing privacy and security on your device without spending any money."

It is indeed the case that a number of flashlight apps can and do request access to permissions and data on users' cell phones that seemingly has nothing to do with the ordinary functioning of the app, and that such permissions could theoretically enable criminals to obtain sensitive personal information from cell phone users. However:


  • Having a flashlight app on your cell phone does not necessarily mean someone is stealing your personal data.
  • Most customers use the flashlight apps that are natively provided with the Android and iOS operating systems on their smartphones, and those apps pose no security threats.
  • Just because an app requests permissions it may not need does not mean the app is being used for nefarious purposes. (Many, many apps request more permissions than they seemingly need.)
  • Nothing about flashlight apps makes them inherently more susceptible to criminal exploitation. (Flashlight apps just happen to be one of the most common cell phone apps.)
  • Any type of cell phone app could potentially be exploited for stealing personal data (or other nefarious reasons).

As the Daily Dot observed of the hysteria generated by SnoopWall’s report, it all appeared to be part of a calculated fear-driven marketing ploy for SnoopWall's own products:

It all sounds pretty scary, but before you go culling your flashlight apps in one massive purge you should know that there’s very little to fear. While SnoopWall’s report makes things sound pretty dire, the company offers no actual proof that these apps are a threat to your personal security or — in the worst possible case — a danger to national security. Not one single shred of evidence is presented to support the company’s claims because none actually exists.

SnoopWall itself has been pushing its own flashlight app (as a replacement for all the ones that are trying to overthrow the U.S. government, naturally) and the oddly named Privacy App which is designed to highlight any other apps on your Android device that are a security risk and could do you harm.

The end goal here is to score licensing deals with app makers to include the company’s Privacy Shield software in their own apps. Just like the flashlight apps using you as ad fodder, SnoopWall wants your support which it can leverage in order to pay the bills. Companies need paychecks too, after all.

But that’s not the only thing that appears a bit hypocritical about SnoopWall’s agressive attack against “dishonest” app developers. In researching SnoopWall’s generically named Privacy App I found that users almost universally agree that the app simply doesn’t work.

While the app promises to “find all the apps that are spying on you,” the user reviews suggest it’s not doing much good. The entire front page of the app’s Google Play listing is filled with reviews saying that the app produces nothing but false positives

SnoopWall's "threat assessment report" suggested that flashlight apps are more prone to requesting access to unneeded permissions and data than any other category of app, but as Wired noted, many other types of apps "want access to information they probably shouldn't," and the fact that a given app has access to data doesn't necessarily mean the app is actually stealing that data and transmitting it to internatonal cybercriminals. It may be the case, though, that you're paying for your "free" app by unwittingly allowing your personal data to be shared with marketers:

The Flashlight app on my phone is built by a company called iHandy. [A] mobile phone security operation called Appthority did an analysis of the data that Flashlight can potentially request, and it's pretty scary.

According to Appthority's president, Domingo Guerra, Flashlight is designed to do location tracking, read my calendar, use my camera, gain access to unique numbers that identify my phone, and then share data with a number of ad networks, including Google’s AdMob, iAd, and JumpTap. It may not actually be doing all of these things — Appthority's analysis only shows what the software is capable of, not necessarily what it's actually up to — but the fact that there's such an arsenal of dubious uses should raise eyebrows.

On my phone, several apps want access to information they probably shouldn't, and odds are, that's the case with your phone, too. The lesson here is that when it comes to mobile software, there’s really no such thing as a free app.

All in all, as the Guardian noted, "developers are often asking for far greater power over a user's device, in order to collect data and sell it on to marketers and ad networks. It's the latest reminder that if you're not paying for an app, its business model may well involve selling your data." Or, as Jeff Werner of the Northwest Florida Daily News observed:

Personally, I'm inclined to believe that there are apps out there that are sending personal data to places where that data has no business going, [but] I would be surprised if it was limited to flashlight apps. At the end of the day, it's important for you to make your own decisions. Be informed, but don't believe every last thing you see or read on the Internet. When it comes to your smartphone, because of the unique nature of the data it contains, and the sites that many of us access with it, be very careful which apps you choose to install. The fewer apps you select, and the more mainstream they are, the less vulnerable you will be to theft of your data.

One flashlight app developer, Goldenshores Technologies (makers of the "Brightest Flashlight" app for Android), settled a complaint with the FTC in 2014 over their collecting location data and unique device IDs from users' devices and sharing that data with advertisers. So when it comes to apps — even "free ones" — caveat emptor.

Sources

Davis, Gary.   "Flashlight App Steals Data, Leaves Users in Dark."     McAfee Blog Central.   9 December 2013.

Fox-Brewster, Tom.   "Check the Permissions: Android Flashlight Apps Criticised Over Privacy."     The Guardian.   3 October 2014.

Hayes, Jessica.   "Smartphone Apps Could Spy on Users."     WISH-TV [Indianapolis].   23 October 2014.

McMillan, Robert.   "The Hidden Privacy Threat of ... Flashlight Apps?"     Wired.   21 October 2014.

Werner, Jeff.   "Flashlight App Malware Could Be More Prevalent Than Originally Thought."     Northwest Florida Daily News.   30 January 2015.

Wehner, Mike.   "A Closer Look at the Company Behind Flashlight App Fear-Mongering."     The Daily Dot.   31 October 2014.

Kim LaCapria is a former writer for Snopes.

David Mikkelson founded the site now known as snopes.com back in 1994.