Checking permissions is not a fool proof way of avoiding malware on Android
An article over at ZDNet practically makes fun of Android users for being stupid enough to install a wallpaper app where the permissions warn you that you will be giving the app permission to use services that cost you money. While it’s true that a wallpaper app shouldn’t normally require that permission, the general idea that reading permissions is going to get you anywhere is both wrong and potentially harmful in many ways.
Permissions on Android is a system of splitting various device features into categories in order to have apps ask for permission to use certain features. It’s a necessity on an OS like Android where an app has the ability to do so much more than an iOS app does, as an app can potentially sit in the background and send SMS messages all over the place. When installing an Android app, you therefore get asked if you’re OK with giving an app certain permissions. In theory, you can see if an app has good intentions by checking for any weird permissions, like a wallpaper app somehow needing the permission to send SMS messages.
However, that is far from the entire truth. In reality, unusual permissions might have a perfectly valid explanation, even though this isn’t obvious to your average user. For instance, many apps require internet access for license checks and/or ads. If you download an ad supported app, it’s your choice to do so rather than pay for an ad free app. Those ads need to come from somewhere – the internet. Yet if a wallpaper app asks for internet access, the same logic that is used to deny an app that asks for SMS access could easily be wrongfully applied to an app that simply needs to be able to access the ads that pay for its existence. Or, in the case of a license check for a paid app, a paid wallpaper app might be mistaken for malware simply because it needs to check if you paid for it.
Another example is launchers. These very often require the permission to make phone calls, which would make a lot of people jump two meters in the air thinking it’s malware. Why on Earth would a launcher (home screen replacement) need to make phone calls? The answer is very simple. Many launchers allow you to add contacts to your home screen, and call those contacts by clicking the shortcut. As such, it needs to be able to make phone calls, or those shortcuts wouldn’t work. Such a simple, perfectly legit explanation, yet it has the potential to scare people for no reason if people are taught to always assume the worst when they see peculiar permissions.
Then you have a further complication with apps that have good reasons for asking for permissions, but then end up using them for something else. If an app claims it needs internet access for ads, it has internet access for other things as well, like sitting in the background and eating up your data plan for the fun of it. A launcher that has phone call permission in order to make shortcuts could potentially start calling sex lines during times of the day when you’re likely asleep and not paying attention.
Keyboards are perhaps the most scary apps. When activating a third party keyboard, Android gives you a fairly scary warning about keyboards being able to record everything you type and rob you blind with the information. Well, duh, of course they can – they’re apps that turn touch input into letters on the screen. Saving those letters and sending them off using the internet access you gave them to check the license is not a problem. If the log shows you types in gmail.com, then [email protected], then mysecretpasswordispopcorn, it doesn’t take a rocket scientist to suddenly be in your Gmail account. The big keyboard apps out there won’t do that of course, but the warning is the same no matter what.
And what about flashlight apps? Flashlight apps need the permission to use the camera, because the LED is “brilliantly” tied to camera operations. The permissions for a flashlight app that requites camera and internet access for LED access and ads respectively are the same as for an app that pretends to be a flashlight app but is really taking pictures of you and uploading them to a pervert’s personal stash.
My point here is that while the permissions request when installing an app is invaluable in many cases, it’s far from the obvious method of avoiding malware that some people would have you think it is. A wallpaper app shouldn’t normally have SMS access, that’s true, but not all cases are that black and white.
My advice is to use a broader array of indicators of scam instead. An app with 10 million downloads and an average 4.5 star rating over the last two years is likely not a scam. The same is true for an app that does something so ridiculously niche that it would be the world’s least effective malware, due to the fact that only about 50 people would ever need it. Free apps are also more likely to get downloaded than paid ones, meaning that malware is more likely to be free. Apps that slap an ugly UI on top of something that has to do with a popular theme, like a Justin Bieber wallpaper app or something like that, most definitely fit the bill of a potential malware app better than most. Also remember that it doesn’t have to contain malware to be worth avoiding – pushing ads in notifications is more than annoying enough to make you avoid an app, even if it’s not costing you money.