We have already seen that Google Play is not a completely safe store, despite what Google has said . Several times the company has had to remove applications that contained malware that hundreds of thousands of users had downloaded. Several of these supposedly free apps, in addition to displaying advertising, sold their users' data..
One of the most notorious cases was that of the application Bright Flashlight (GoldenShores Technologies LLC), which would have shared the location and ID of millions of devices, according to the Federal Trade Commission of the United States. At the time, the privacy firm Snoopwall also did a study stating that the majority of flashlight applications available on Google Play can and surely must be stealing the data of each phone where they are installed, including photos and videos here.
Permissions required by some Flashlight mobile apps, according to SnoopWall.com
To find out if a Google Play app is dangerous, one of the most important things to look at is the app's permissions. Before Android 6, this was very easy to see. Before installing an application from the Play Store, you could see all the permissions that the app required. By accepting the installation, you were granting all those permissions..
Permissions for some flashlight apps that were popular on Google Play, with 5 and 10 million downloads each.
Note the difference between the permissions required by the Tiny Flashlight application (which is quite complete when it comes to flashlight functions) compared to other applications. These other applications can access various things on the phone, including multimedia content such as photos and videos of the user. For what reason should they access this data?
The most logical thing is that a flashlight application only requests access to the flash (in the worst case to the camera / microphone of the phone, as is the case with Tiny Flashlight). But as you can see, several of these applications invade other areas of the phone that have nothing to do with activating and deactivating the flash..
Certainly, many Android applications obtain, without the need for user consent, "abstract" data such as device ID or application history. However, they shouldn't have permission to read your device's storage if they don't need it. By obtaining it, you are giving them access to your photos or videos. That's exactly what such permission allows:
Photos / Media / Files
Use one or more of the following: the device's external storage or the device's files, such as images, videos, and audio files.
From Android 6 onwards
Fortunately, Android 6 forced apps to request permissions independently after being installed. In this case, once you install a flashlight application, if it asks for permission to access the storage, you can deny that permission and grant access to the camera only to make use of the flash. Obviously, if an app that does not need to view your files asks you to do so without a convincing explanation of the reason, it is not one that you should have installed.
Sure, this doesn't just happen with flashlight apps like the ones cited here. It also happens with many applications on Google Play that, in exchange for offering a free service, make money in other ways. For example, several weeks ago I came across a calculator application that required as many permissions as those requested by the applications listed here. To this day, I'm still waiting for an explanation from the developer about why that simple calculator required access to my photos and videos, as well as other information on my phone.
The best thing you can do when you come across such an app is to uninstall it. Generally you will always find alternatives. Fortunately, current Android systems already come with their own flashlight, calculator and many basic tools that prevent us from needing to install additional apps. However, you should always be careful to observe the permissions that any application that you install from Google Play requests. And try to use applications from developers you know or trust. Although they can use legitimate permissions, it is not known what the code behind an app is doing and we already know that Google is not very good at detecting malicious apps.
How to PROTECT my cell phone from viruses, spies, interventions, etc.
VirusTotal for Android can detect if there are applications with viruses
How to remove viruses from your Android device