It’s dark and you’ve dropped your keys someplace in the car. The overhead light doesn’t illuminate all the nooks and crannies, so you get out your cell phone and turn on the flashlight app. How convenient for you! And how convenient for the unseen recipients of your GPS coordinates, contacts, and other information the app sends from your cell phone.
You’re not alone in your exposure to this information theft. An estimated half a billion cell phone users have installed flashlight apps that do much more than shine a light.
If you paid attention to the size of the app you installed, you might have wondered why it was over 1 MB in size, when an app that merely turns the light on or off can be less than 1/10 that size. Perhaps the answer was buried in the permissions list you saw when you installed the app – the box that said that in order to work, the app needed to look at everything running on your phone, read and even delete things from your phone, contact people over the Internet, geolocate you, and lots more. However, you didn’t get suspicious enough to hit “Cancel” before installing the app.
If you’ve looked into the spy apps for “watching over your kids, preventing theft, and supervising your employees’ performance”, then you know that an app running on a cell phone can report text messages, calls, photos, browser history, locations, and just about anything else on the phone to a remote monitor. The only tricky part is that you need access to the monitored device for 10-15 minutes to install the app, which then hides itself and so can’t be seen by the phone’s user.
Now suppose you want to monitor someone through his or her cell phone, but you don’t have access to the phone, or they’ve locked it and haven’t told you the unlock code. How can you get the spyware installed? Hmmmm. Aha! How about embedding it in a free app that they just can’t resist – or to add some irony, how about charging them 99 cents for the privilege of installing a spyware-laden app? Then if you can get a few million people to install it, you don’t need a very high hit rate of messages with useful information like bank accounts and credit card numbers to turn a profit on your cybersnooping endeavor. Needless to say, you won’t need to pore through the data yourself; that’s what computers are for.
The Federal Trade Commission’s lawsuit against the developer of the app “Brightest Flashlight”, one of the most popular flashlight apps for Android phones, sheds some light on the tactics used by apps that collect data to be shared with third parties.
But “Brightest Flashlight” is not unique. SnoopWall tested the 10 most popular Android flashlight apps on various smartphones and tablets and found that all of them access data they don’t need for turning a light on and off. Their report, SnoopWall Flashlight Apps Threat Assessment Report, includes these chilling comments: “Some appear specifically designed to collect and expose your personal information to cybercriminals or other nation states. In addition, you are at significant risk if you are doing mobile banking on the same device as one of these free flashlight apps.”
With over 80% of the cell phone market using some level of Android operating system, Android phones are a particularly fertile ground for cyber-criminals. Yet even cell phone OSes that have earned a reputation for being more resistant to malware are vulnerable.
Here are some suggestions for protecting yourself from cellphone malware:
What about that flashlight app on your cell phone? If you installed it from an Internet download and aren’t 100% sure of its integrity and limited functionality, remove it. Even that might not clear up malware that might have gotten onto your phone when you installed the flashlight, and the safest course of action is to save your essential data – the contacts and files you’re sure aren’t infected – then return the phone to a factory reset state before restoring the data.
And the next time you visit Hardware Hank, check out their real flashlights.