Not Malware: Some Apps are Just…Well…Apps

When you work in the cybersecurity industry, friends and family often share with you spam emails that come through their inboxes, examples of potential malware and phishing links, and news articles about the latest cybercrime headline. I always welcome these emails as it gives those of us at CYREN a chance to analyze these threats and make sure the CYREN system is catching and blocking them. (We always are!)

A few weeks back a friend forwarded a link to a YouTube video from a major US network news studio featuring a “cybersecurity specialist” discussing malware that lurks in those free flashlight apps that you find in the various app stores. The email subject header read: “This is Scary: The top 10 mobile phone flashlight apps are actually malware/Trojans…”

My first reaction when I watched the video was “hmm, this seems like someone who is seeking a bit of publicity based on questionable data, mixed with some mistruths, and combined with fear, uncertainty, and doubt (FUD).” Being somewhat skeptical, I decided to do a little research on these so-called malware-ridden flashlight apps. (This “cybersecurity specialist” was also advocating the purchase their own flashlight app.)

First, the news video shows footage of iPhones and not Android devices. While iPhones are not exempt from malware attacks or fake apps, it is still somewhat unusual. However, Android is another story. There are plenty of fake apps out there that embed malware and ransomware on Android smart phones (although most of these come from outside Google’s Play Store). 

This “cybersecurity specialist” goes on to suggest that this situation is bigger than Ebola, since over 500 million phones are affected. Considering that there is yet to be a death from an Android malware app, I find this particular analogy a little offensive, but I digress.

Another overstatement from this “cybersecurity expert” was that the top ten flashlight apps that you can download from the Google Play store contain malware. Ok. Let’s stop the madness and look at the facts. In 2013, the U.S. Federal Trade Commission (FTC) settled a complaint with the creator of one flashlight app over its data collection policies. (The flashlight app itself was not malware, although there were concerns about how the application collected usage data.)

If you read the “threat report” issued by this “cybersecurity specialist” you’ll note that the report simply states that some flashlight apps “appear specifically designed to collect and expose your personal information to cybercriminals or other nation states…,”this statement being based solely on the fact that some of the apps were created by Chinese and Russian developers. This “threat report” did not, however, provide any evidence that the Chinese and Russians were, in fact, collecting all that information about you using your flashlight every time you’re walking your dog. (Did I mention that this “cybersecurity specialist” was promoting the purchase of their own flashlight app?)

What the original news network video failed to emphasize is that there are any number of apps out there that collect user data to sell to marketers and advertising companies; not just flashlight apps. Quite a few “free” apps, including games, productivity, and health apps use this technique. It seems “free” apps aren’t really free. And, while your usage data may be collected and sold by the app’s developer, that doesn’t make the app malware and it doesn’t mean that any harm is going to come to you or your family. If the amount of data collected by free apps bother you, then look for paid alternatives or apps that require fewer permissions. (Although there is no guarantee with paid apps that your data won’t still be collected for marketing purposes). Sometimes the apps made by large Internet companies are the best option (e.g. the stock Android flashlight widget or the Yahoo weather app).

It is worth noting that CYREN’s Android AntiVirus regularly detects adware, as well as Trojans and SMS-stealing malware. This (real) adware is quite aggressive though, popping up unwanted ads even when the original host app has been removed or is not running and making its own removal very difficult.

Ultimately, though, it pays to remember that sometimes an app is just an app.