What if the Light Switch Demanded All Your Personal Information?

You want the lights turned on? We’ll just need access to your credit card numbers, and your PINs and passwords, and all other personal and corporate data, and your current physical location, and …

That sounds crazy, right? If all the light switches in the building worked that way, we would see a big run on the candle supply.

But this is what’s going on.

The Brightest Flashlight Free Android app, available at the Google Play on-line app store, contains malware labeled by Sophos as Andr/NewyearL-B and by Symantec as Android.Counterclank.

When you go to the Permissions list on the app’s page, you see that it needs to have access to the camera. Sure, that’s how it turns on the LED used as the flash. But keep reading. If you install this app, you also give it:

  • Your location, approximate (network-based) and precise (GPS-based).
  • Full network access, allowing it to create network sockets and use custom network protocols.
  • Access to phone features, determining the phone number and device IDs, whether a call is active, and the remote number connected by a call.
  • Permission to modify or delete the contents of USB storage and your SD card.
  • Permission to disable or modify the status bar, and to add and remove system icons.

All of this for a flashlight function?

And despite all this, they supposedly have somehow managed to get between 10 and 50 million people to download and install this?

I am very suspicious of the numbers. Look at the surprisingly numerous 5-star reviews and see the strange misspellings and broken English. “Ive been had this app since i own a start phone” and so on. In the overview, notice the unusually constant high rate of downloads. I suspect that something, perhaps the app itself, automates further downloads to inflate apparent trustworthiness. Just consider the name of the app, it seems to be designed purely to match common search strings. Auto manufacturers never name a design the “Best Mileage Cheap”.

As we discuss in Learning Tree’s Cloud Security Essentials course, BYOD or Bring Your Own Device is happening. Deal with it, don’t deny it. But be aware of what can ride in on those devices.

I think that some people in management see BYOD as a magical money pot. “This is great! We can spend less buying and maintaining workstations because we can obligate our employees to buy and pay the monthly contract for their mobile devices!” But unless you put some effort (and therefore money, oh no!) into helping them secure those devices, who knows what may happen to your corporate data.

There are some good mobile device software packages, including several free ones from vendors like AVG, McAfee, Sophos, Symantec, and many more. In order to protect your data, you will have to help your users to protect themselves.

Bob Cromwell

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.