David Papp Blog

Security expert says 500 million android phones are infected due to flashlight apps

Alarming information has been brought forward this month that the top 10 flashlight apps on Google Play store are malware. Gary Miliefsky, CEO of Snoopwall, estimates over half a billion Android devices globally are unknowingly infected and sending personal information to China, India, and Russia.

Gary goes on further to say the only way you can be sure to uninfect your Android device is with a full factory reset. Apple iOS users are safe from this issue. Here is a link to the Snoopwall Flashlight Apps Threat Assessment Report. The report goes on to list these flashlight apps:

  • Super-Bright LED Flashlight
  • Brightest Flashlight Free
  • Tiny Flashlight + LED
  • Flashlight (x2)
  • Brightest LED Flashlight
  • Color Flashlight
  • High-Powered Flashlight
  • Flashlight HD LED
  • Flashlight: LED Torch Light

Even though they are the top downloads, they are all acting in a malicious way. He was tipped off when he kept wondering why a flashlight app would activate his GPS and access his contact list.

This has been reported by people to the FTC. The number 2 flashlight app (Brightest Flashlight by GoldenShores Technologies) was recently sued by the FTC and they settled. They had over 50 million downloads at the time. The problem is people are blindly accepting anything the apps ask for access to your phone and they were too trusting because it was one of the top apps with so many downloads.

Their recommendations are to:

  • Disable GPS except when needed
  • Disable NFC
  • Disable Bluetooth
  • Verify app permissions before installing
  • Put tape over your camera & microphone


45 thoughts on “Security expert says 500 million android phones are infected due to flashlight apps”

  1. I am glad I never downloaded this app but it does make me worry what other apps I have that might be doing the same type of sneaky behavior. I wish there was some sort of test process the apps had to clear before going into the store.

    • I’m thinking the same thing right now. I’m especially concerned since I downloaded the app from the Google Play store, and by my understanding, I believe I heard that all the apps in the store are checked thoroughly by Google. So I don’t understand how this massive threat occurred on their watch.

    • Same here… do not have any of those flash light apps, but I don’t really notice the permissions that often or pay attention to whatever permissions they request… and now I don’t know.

      I agree with you in terms of Google making a test for the Play Store, as, in my opinion, they should have done already. For what we know, maybe even up to a 1/3 of the apps have the ability to be malicious.

      • There is an option to allow the installation of non-Market applications. If you check this box there is no telling what you will get when you download an app. Perhaps this is how the flashlight app and others like it are affecting so many phones.

  2. Good to know. I think we have to be increasingly careful with sending personal information via our cell phones. I have a friend who had some information stolen this way. Like many of us, she had installed more protective ware on her computer than on her cell phone. Because of habit, it was natural for her to be more cautious on her computer than on her cell.

  3. Oh wow, I am elated to find out that the flashlight app I use is not listed! Although, this shouldn’t be a problem at all. Why hasn’t Google went through the source code of these apps looking for malicious code, and then removing them whenever they find it?

    The average user won’t know how to tell the difference between a flashlight app with viruses, and one without, so it is Google’s job to make sure that all apps on the Play store are safe for use.

    • My same thought. I can’t believe they don’t seem to bother to do that, after all it’s their darn job! A lot people are surely infected by now and will have no choice that doing a full factory reset. Now I’ll double think before downloading anything, since now I’m fully aware you can find malware even at the play store! Not cool at all!

      • Seriously, it is their job to do this. By not making sure that the most popular apps on their market are safe, they are endangering the consumers. This has actually made me contemplate moving to iOS, because of how much better (although still not perfect) their security system it.

  4. This is alarming news! I am a victim of silent malicious activity on my phone, seeing that I have downloaded one of the flashlight apps that I resort to when I need to shine a light in the darkness. How could they be so sneaky and sniveling like that to take advantage of the trust of users? I don’t know what I’m going to do. I just got my computer fixed today and then this bad news is what I hear about my phone. Funny thing is, my step dad and I experienced a glitch in our contacts, where some contacts would just disappear out out of the blue. I think I finally have the answer for that. Wow.

  5. I’m actually kinda worried after reading this! I might ask my SO to perform a factory rest on my Android, because just a few days after I got this phone (as a gift from him), I downloaded one of those apps. I can’t believe the idiots from the play store can’t make sure the apps they offer aren’t malware. A lot clueless users like myself download them thinking the play store would never put them at risk.

  6. Seriously?! That’s really quite scary. Something as innocuous as a flashlight is just another malware angle.

    One of my criteria for choosing apps was to go down a ‘best of breed’ route – i.e. go for the most popular apps in its class. It’s not scientific but I figured that if it was good enough for the masses, it’s good enough for me as others would have filtered out the rogues. Clearly I need to revise my approach.

  7. In virtually every piece of decision regarding apps and software download we encounter the problem of making decisions that might affect our mood for the day. These moves, transitions some call them, toward newer ways of doing things were a bit counter productive. Not because they were directly hindering productivity, but because their future implications might require changing our speed.

  8. A flashlight app is so practical, who’d expect to be in any harm by downloading so simple. I used to use brightest flashlight and I loved the app, but just like so many others I didn’t read the permissions. That’s just nuts, of all things a flashlight app. So when I’m using my flashlight on my phone, something is snooping around. I’m gonna be very skeptical of new companies and free apps now.

  9. This is pretty nefarious, but I honestly wish that Android permissions would work like iOS permissions, where when something new is requested, instead of having it all waived at the install screen, it inquires the user first. So if an app wants to use the camera, ask the user first. If an app wants access to the gallery, ask the user. The only problem with managing these permissions is because Android is basically Linux, and Linux doesn’t handle permissions on a per-case basis. You either give an application all permissions or no permissions.

  10. Wow, this is pretty disturbing. I did not download this app on my phone, but I know of countless other people who did. Generally I think that it is very important that you look at what permissions the app requires when you download it. It is best if the app requires no special permissions at all. It is for the same reason that I stay away from most phone games, which require plenty of permissions – you never know what the app might want with them.

  11. My heart skipped a beat when I read this. I have the Brightest Flashlight Free app. I have also always wondered why whenever I go to ‘Manage Apps’ it has taken up a lot of space on the phone due to collecting unnecessary information. I always clear everything including cache such that when I click on it again I have to ‘Accept Terms’ afresh.

  12. I read the report – there doesn’t seem to be any mention of sending info to China, Russia or India in it.
    Additionally, I gotta wonder – the report lists the permissions that the app requires, not what it actually does do. While it is certainly suspect to see a flashlight app require access to, say, the webcam, that doesn’t necessarily indicate that it is using it for spying purposes.

    I’m sure there’s something fishy going on, but let’s not jump to conclusions, especially about “cybercrime” and spying by state entities. Realistically, they’re probably selling this stuff to advertisers and spammers.

    The report talks about predators using the GPS on a phone to track children – seems like a stretch. It’s certainly possible, but it kind of smells like a scare tactic.

    I’m all for security, and I certainly don’t think we ought to be installing flashlight apps with ridiculous permissions, but let’s try not to spread the FUD here.

    • The thing I find more surprising is that snoopwall, the publisher of the report, sells a competing flashlight app that is supposedly focused on privacy. It seems to be that this is a classical attempt of smearing the competition in order to drive more traffic to their own products.

      We saw (and continue to see) it in the malware removal space with stellar products like “PC Cleaner 2014”, we saw it happen to browser extensions, and we’ll continue seeing it develop in the app world.

  13. Imagine that. I’m sure that’s not the only app that is actually malware or spyware. You really have to be vigilant now a days, information is the hundreds of millions are constantly at risk. Most phones have settings for apps that allow you to manage permissions for your apps (which I’m gonna look at my self after this comment post). If you wanna look further, you can always do a quick Google search on the app developer and you might uncover some good to know information.

  14. This is indeed alarming. To think that an innocent looking app can hide something sinister. Should there me additional security before the apps can be put on sale at the play store? I guess if the flashlight app asks access to your phone, then it should signal alarms.

  15. It sounds like the app was pirated, and their tags or labels do not correspond to the right word. The exact, precise function of the app is working, but it is doubling as a malware. It’s a wonder that the app was most downloaded.

  16. Wow, I never knew. Thank God I switched to iPhone 6 recently, no wonder I always felt something was wrong with my android! Too bad I dispoed it off though, I could’ve kept it and optimized it’s functioning instead of being pissed off.

  17. It’s true, I had downloaded the Brightest LED Flashlight quite a long time ago when I was out walking a trail in the woods at night and I swear that my phone has been acting up ever since then. Also, thanks for the suggestions on how to handle the problem because I won’t be able to buy a new phone for a while and my current phone is acting wonky. I’ll try out the solutions and hopefully my phone will stop malfunctioning and popping up random adds.

  18. I am so glad that I am an iPhone user. I do not have to worry about downloading any flashlight app thankfully. There are lists of apps that we may not know about that has some sneaky business going in with them.

  19. Wow, who would’ve thought. I don’t really use flashlight apps because I think they’re really stupid but I know a lot of people who download these kinds of apps just for the giggles and the notion that “it might come in handy someday”. It’s nice to know that these attacks take on these forms.

  20. That is downright scary. I am so grateful I do not have an android device at this time. It seems like hackers are getting more and more creative in finding ways to access personal information and steal identity. I will really think twice before I download another app and definitely pay attention to what it wants access too. You can’t be too careful.

  21. That’s interesting, and I commend you for taking the time to announce this. I am safe because I have an iPhone, however I use the torch app built into iOS daily. I cannot live without a torch now, so I can understand so many people have these apps.
    Is there no free torch app built into driod?

  22. I’m not a fan of these kinds of apps and I’m glad I’m not. And to be honest, they’re pretty much useless in a way, I mean you can just crack up your phones brightness, set it up a few seconds before the screen goes off and that’s it. It’s not like you’re going to use it every time.

    • Some people really like those apps. Maybe their just too lazy to do that and besides, it’s much more convenient in a way, but I agree with you they’re pretty much a waste. I don’t know why someone would be willing to pay a dime for those apps.

  23. This is really scary and really clever in a way. I mean, this kind of flashlight app is as innocent as it can get and many people might not even think about security when installing these apps. That’s one problem with people these days, they’re very impatient and they just tap ‘Agree’ blindly without even bothering to just skim through to what they’re agreeing to.

  24. Oh my goodness!!! This is terrifying news. I had a high level of trust in the flashlight app I downloaded because it was so highly recommended and had so many happy users…but the one I use is in this list. Luckily I always keep my gps and bluetooth off, but I use my camera and mic daily! I’m performing a factory reset on my phone as we speak, I don’t want to risk any more of my information being leaked.

  25. This doesn’t surprise me much at all. You have to wonder why an app that turns your mobile into a flashlight needs all those permissions and why. If there is ever a list of ‘safe’ alternative apps somewhere on the net, then I will gladly delete most of the malware apps off my mobile and install those.

  26. It must really suck to get your entire phone infected through such a simple app. I know Linux systems don’t have as many vulnerabilities (that we know of) compared to Windows, but with Android being the super popular OS it is, we should expect to see more problems coming along with it. Hope I don’t get this problem on my phone…

  27. An app so innocent can contain malware. I’m surprised it even got on the play store because they scan it twice before they let it into the public. The app was so useful but I reluctantly uninstalled it. I wonder what other apps could be infected on my phone because my antivirus didn’t catch this one, and I paid for the premium security.

  28. I’m worried about this now. I have the first app on the list for like 6 months now, I haven’t noticed any suspicious activity, but now that I check what the app needs access to, it shows Camera/Microphone, should I be worried? What I don’t understand is how come these apps are still available in the app store? Is there not enough prove to remove them?

  29. Although I rarely check permissions, thinking about it now, I probably should. In fact, one of my other apps could be malicious, and I don’t even know it.
    Sadly, I’m probably going to have to do a factory reset soon. But I really appreciate this post, David. I’m also really glad I found this blog so that I would be informed of this, but I still can’t believe Google allowed this to happen while the iTunes store is still fine.

  30. That is some alarming news here!

    I am not really fond of the other apps, but I do download from the legitimate vendors. I was fortunate enough to get one of the apps which was ad-free in past, but I should reconsider keeping it with me it seems! 🙁

  31. Terrifying in the fact that you would have countless people downloading these apps on a daily basis, and not suspecting in the least that a flashlight app would be the culprit. People should be more cautious to download the more well known apps however.

  32. I had to go check my phone to find the exact name of the flashlight app I have. Fortunately, I do not have any of the ones on that list. I did notice that the one I have has permission to take pictures and videos. I didn’t even realize I gave this app permission to take pictures and video. I have deleted the app and will most likely stay away from any of the flashlight apps from now on. I have been extra careful recently about the permission I give apps when installing them on my phone. I’ve had this flashlight app for years! This is information I have to share with my friends and family! Thanks.

  33. This is frightening, to say the least. A phone a just bought a couple months ago, came with a flashlight widget. The “Super-Bright LED Flashlight”. When I learned of this whole scandal, I deleted it right away.. But it still scares me that I could have something in my phone, lurking around and stealing information. I really don’t want to do a complete factory reset–just keeping my fingers crossed that I’m safe, I guess!

  34. I KNEW IT. I knew these flashlight apps were scams.

    I mean in all reality, how would the flashlight app help affect the phone’s factory setting for brightness, to do that, you probably need access to the entire phone’s main roots. It never made sense to me why people downloaded them, I felt as the flashlights on our phone’s were perfectly fine, but it just goes to show how a simple decoy can be so malicious.

    I am still boggled on how android doesn’t approve their apps, or verify them. I don’t care if it takes an extra 7 days for apple to approve the app, as long as my phone is safe. I cannot imagine the information leaked too, if they did require access to the mainframe roots of the phone that could hack into apps like PayPal or Bank apps themselves and just input information to give themselves money!

    An entire factory reset is required too, that is scary.

  35. Thankfully this problem is easy to be solved now with Lollipop including a Flashlight in the default operating system. No more need for a third party application. I never use the feature though, I am afraid that it will wear out my flash.

  36. Well I’m glad I never downloaded a standalone flashlight app, I can just use the one my launcher provides. That being said, I disable those wireless features which I don’t use anyways. However, the report would be more trustworthy if it were written by independent reviewers…as Snoopwall also have their own flashlight app product…

  37. This is indeed a very plausible scenario. I remember when I first got the first ever samsung galaxy flagship, flashlight apps were among the first apps on the app store. They were very popular because phone developer didn’t even think of putting a stock app to control the built-in LED in the phones. It was a great oversight if you ask me.

  38. This is some shady behaviour from these top apps. I’m glad I didn’t install them. I’m also on iOS so it wouldn’t have affected me, even if I did install those apps. I do think my Mom’s cell phone has one of those apps though. If you installed those apps in 2015, will there be malware?

Comments are closed.