Let’s Shed Some Light on this Malware

ClearPath Forward5 minutes readNov 20th, 2014

It’s dark and you’ve dropped your keys someplace in the car. The overhead light doesn’t illuminate all the nooks and crannies, so you get out your cell phone and turn on the flashlight app. How convenient for you! And how convenient for the unseen recipients of your GPS coordinates, contacts, and other information the app sends from your cell phone.

You’re not alone in your exposure to this information theft. An estimated half a billion cell phone users have installed flashlight apps that do much more than shine a light.

If you paid attention to the size of the app you installed, you might have wondered why it was over 1 MB in size, when an app that merely turns the light on or off can be less than 1/10 that size. Perhaps the answer was buried in the permissions list you saw when you installed the app – the box that said that in order to work, the app needed to look at everything running on your phone, read and even delete things from your phone, contact people over the Internet, geolocate you, and lots more. However, you didn’t get suspicious enough to hit “Cancel” before installing the app.

If you’ve looked into the spy apps for “watching over your kids, preventing theft, and supervising your employees’ performance”, then you know that an app running on a cell phone can report text messages, calls, photos, browser history, locations, and just about anything else on the phone to a remote monitor. The only tricky part is that you need access to the monitored device for 10-15 minutes to install the app, which then hides itself and so can’t be seen by the phone’s user.

Now suppose you want to monitor someone through his or her cell phone, but you don’t have access to the phone, or they’ve locked it and haven’t told you the unlock code. How can you get the spyware installed?  Hmmmm. Aha! How about embedding it in a free app that they just can’t resist – or to add some irony, how about charging them 99 cents for the privilege of installing a spyware-laden app? Then if you can get a few million people to install it, you don’t need a very high hit rate of messages with useful information like bank accounts and credit card numbers to turn a profit on your cybersnooping endeavor. Needless to say, you won’t need to pore through the data yourself; that’s what computers are for.

The Federal Trade Commission’s lawsuit against the developer of the app “Brightest Flashlight”, one of the most popular flashlight apps for Android phones, sheds some light on the tactics used by apps that collect data to be shared with third parties.

But “Brightest Flashlight” is not unique. SnoopWall tested the 10 most popular Android flashlight apps on various smartphones and tablets and found that all of them access data they don’t need for turning a light on and off. Their report, SnoopWall Flashlight Apps Threat Assessment Report, includes these chilling comments: “Some appear specifically designed to collect and expose your personal information to cybercriminals or other nation states. In addition, you are at significant risk if you are doing mobile banking on the same device as one of these free flashlight apps.”

With over 80% of the cell phone market using some level of Android operating system, Android phones are a particularly fertile ground for cyber-criminals. Yet even cell phone OSes that have earned a reputation for being more resistant to malware are vulnerable.

Here are some suggestions for protecting yourself from cellphone malware:

  1. Buy from legitimate app stores. The major vendors try – but unfortunately with only modest success – to keep malware off their sites.
  2. Pay attention to the list of permissions an app claims it needs, and don’t install it if the list is too intrusive. Most apps shouldn’t need access to the microphone, location information, camera, etc.
  3. Read the reviews from previous users, especially the one star reviews; a developer whose app gets poor reviews might have concentrated more on harvesting your information than implementing the purported intent of the app.
  4. Install virus protection and other anti-malware software on your cell phone, but choose apps that don’t present any of the red flags mentioned above.
  5. Turn off automatic updates. This gives you full control of installing updates that might include additional permissions that weren’t in the original product delivery.
  6. Check the permissions of apps you already have installed on your phone. From the Settings menu, select Apps or Application manager, select each app, and scroll down to the Permissions section. If you find the app has permissions it shouldn’t need, remove it.
  7. Then for defense in depth, on the chance that somehow intrusive malware might make its way to your cell phone, turn off features until you need them – GPS, Near Field Communications, S Beam, screen mirroring, Bluetooth, etc.

What about that flashlight app on your cell phone? If you installed it from an Internet download and aren’t 100% sure of its integrity and limited functionality, remove it. Even that might not clear up malware that might have gotten onto your phone when you installed the flashlight, and the safest course of action is to save your essential data – the contacts and files you’re sure aren’t infected – then  return the phone to a factory reset state before restoring the data.

And the next time you visit Hardware Hank, check out their real flashlights.

Tags-   Flashlight Malware Mobile applications Security