Security News

12 Most Abused Android App Permissions

October 22, 2013
Abused Android app permissions cover


Android apps need permissions in order to work. However, cybercriminals can exploit them for their personal gain. Here are some of the most commonly requested permissions, and how they’re abused.

1. Network-based Location

Android app permissions 1
Image Source: Evan-Amos / Wikimedia Commons / Public Domain

What it’s for: It allows apps to retrieve an approximate location through network-based location sources like cell sites and Wi-Fi. App developers can use it to gain profit from location-based ads.

How it can be abused: Malicious apps use it to launch location-based attacks or malware. For example, cybercriminals can direct Russia-based mobile users to malicious Russian language sites.

Apps that need this permission: location apps, check-in apps

2. GPS Location

Android app permissions
Image Source: Place On The Map by George Hodan

What it’s for: It grants apps access to your exact location through the Global Positioning System (GPS) and other location sources like cell sites and Wi-Fi. Like network-based location, GPS location can also be used by app developers to gain profit from location-based ads.

How it can be abused: Malicious apps use it to load location-based attacks or malware.

Apps that need this permission: location apps, check-in apps, social media apps

3. View Network State

Android app permissions
Image Source: “Locating GSM Network” Tim in Sydney, used under the Creative Commons Attribution 2.0 license

What it’s for:
It allows apps to check for cellular network connections, including Wi-Fi. Apps require network connectivity to download updates or connect to a server or site.

How it can be abused: Malicious apps use it to spot available network connections so they can perform other routines, like downloading other malware or sending text messages. Malicious apps can switch on these connections without your knowledge, draining your battery and adding to data charges.

Apps that need this permission: location apps, check-in apps, social media apps

4. View Wi-Fi State

Android app permissions
Image Source: “WiFi Sign” Jason Wilson, used under the Creative Commons Attribution 2.0 license
 
What it’s for: It gives apps to access Wi-Fi network information, such as the list of configured networks and the current active Wi-Fi network.

How it can be abused: Cybercriminals take advantage of device bugs to steal Wi-Fi passwords and hack into the networks you use.

Apps that need this permission: browser apps, communication apps

5. Retrieve Running Apps

Android app permissions 5
Image Source: “Social Media apps” Jason Howie, used under the Creative Commons Attribution 2.0 license

What it’s for: It lets apps identify currently or recently running tasks and the processes running for each one.

How it can be abused: Cybercriminals use this to steal information from other running apps. They can also check for and “kill” security apps.

Apps that need this permission: task killer apps, battery monitoring apps, security apps

6. Full Internet Access

Android app permissions 6
Image Source: “Internet Open” Blaise Alleyne , used under the Creative Commons Attribution 2.0 license

What it’s for: This allows apps to connect to the Internet.

How it can be abused: Malicious apps use the Internet to communicate with their command centers or download updates and additional malware.

Apps that need this permission: browser apps, gaming apps, communication apps, productivity apps

7. Read Phone State and Identity

Android app permissions 7

What it’s for: It lets apps know if you’re taking calls or are connected to a network. It also gives them access to information such as your phone number, International Mobile Equipment Identity (IMEI) number, and other identifying information. Apps often use this to identify users without requiring more sensitive information.

How it can be abused: Information-stealing malicious apps often target device and phone information.

Apps that need this permission: mobile payment apps, gaming apps, audio and video apps

8. Automatically Start at Boot

Android app permissions 8
Image Source: Power Button On TV Remote by Petr Kratochvill

What it’s for: Apps use this to tell the OS to run the application every time you start your device.

How it can be abused: Malicious apps use this to automatically run at every boot.

Apps that need this permission: task killer apps, battery monitoring apps, security apps

9. Control Vibrator

Image Source: “Vibrator” James Cridland, used under the Creative Commons Attribution 2.0 license

What it’s for: This gives apps access to your device’s vibrator function.

How it can be abused: Malicious apps use it to stop vibrations, which can alert you of premium service notifications or verification text messages before the malicious app can intercept them.

Apps that need this permission: communication apps, gaming apps

10. Prevent From Sleeping

Image Source: Batholith / Wikimedia Commons / Public Domain

What it’s for: It keeps the processor from sleeping or the screen from dimming.

How it can be abused: Malicious apps use this to prevent phones from going into sleep mode, so they can continuously run malicious routines in the background. This can also lead to battery drainage.

Apps that need this permission: audio and video apps, gaming apps, browser apps

11. Modify/Delete SD Card Contents
Image Source: Simon.bastien / Wikimedia Commons / Public Domain

What it’s for: This lets apps write on external storage, like SD cards.

How it can be abused: Cybercriminals use this to store copies of stolen information or save files onto your SD card before sending them to a command center. Malicious apps can also delete photos and other personal files on your SD card.

Apps that need this permission: camera apps, audio and video apps, document apps

12. Send SMS Messages

Image Source: “Traverse City” Pat (Cletch) Williams, used under the Creative Commons Attribution 2.0 license

What it’s for: This allows apps to send text messages.

How it can be abused: Premium service abusers use this to send messages to premium numbers. This leaves you with unexpected charges. Cybercriminals can also use it to communicate to command centers.

Apps that need this permission: communication apps, social media apps
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Connect with us on