PorkChopSandwiches
10-01-2014, 05:09 PM
SNOOPWALL FLASHLIGHT APPS
THREAT ASSESSMENT REPORT
Summarized Privacy and Risk Analysis of Top 10 Android Flashlight Apps
by SnoopWall mobile security experts and the Privacy App scanner
October 1, 2014
Summary: We tested and installed the Top 10 Android Flashlight Apps on various smartphones and tablets. Windows and Apple iOS flashlights behave in a similar fashion, however, more restricted in their spying capabilities due to the hardened OS features of Windows 8.1RT and Apple iOS 7 & 8.
All of the applications below appear to obtain access and information way beyond the needs of a Flashlight. Some appear specifically designed to collect and expose your personal information to cybercriminals or other nation states. In addition, you are at significant risk if you are doing Mobile Banking on the same device as one of these free Flashlight Apps.
Our strong recommendation is to uninstall your flashlight app immediately.download-pdf-button
#1 https://lh6.ggpht.com/POKqqdaXjDqk-84U-3PjIRip78I_As54FGYMFKVu-T3t0OxuXdV7oslBIJjpXCEkQA8n=w300
Super-Bright LED Flashlight
Surpax Technology Inc.
Developer website link on
google play store leads to
driveby malware
4.9Mb install size
between 100m – 500m installs
Privacy risks:
retrieve running apps
modify or delete the contents of your USB storage
test access to protected storage
take pictures and videos
view Wi-Fi connections
read phone status and identity
receive data from Internet
control flashlight
change system display settings
modify system settings
prevent device from sleeping
view network connections
full network access
Developer Email: contact.android.surpax@gmail.com
Developer Website: MALWARE – DO NOT VISIT GOOGLE PLAY LINK
Developer Location: Unknown
#2 https://lh6.ggpht.com/oxdTH6PDCgkz-6TkodfJc6fK3-xFsz_voyqslO2blEbAP0pow8R32KlS4sTPWS4j3A=w300
Brightest Flashlight Free
GoldenShores Technologies, LLC
between100m – 500m installs
settled with FTC for privacy breaches
1.2Mb install size
Privacy risks:
approximate location (network-based)
precise location (GPS and network-based)
modify or delete the contents of your USB storage
test access to protected storage
take pictures and videos
view Wi-Fi connections
read phone status and identity
disable or modify status bar
read Home settings and shortcuts
control flashlight
prevent device from sleeping
view network connections
full network access
install shortcuts
uninstall shortcuts
Developer Email: BrightestFlashlightFree@gmail.com
Developer Website: http://www.goldenshorestechnologies.com/
Developer Location: Unknown
Lawsuit by FTC.gov: http://www.ftc.gov/news-events/press-releases/2014/04/ftc-approves-final-order-settling-charges-against-flashlight-app
#3 https://lh5.ggpht.com/4_-A8zC_-lzo1USVbGgq1lVMlS0jNUPFOR-n5dj1QsRS-O2vZOLEjRLy8c_0zdU3ELQD=w300
Tiny Flashlight + LED
Nikolay Ananie
1Mb install size
between 100m – 500m installs
Privacy risks:
take pictures and videos
control flashlight
prevent device from sleeping
control vibration
full network access
view network connections
Developer Email: support@tinyflashlight.com
Developer Website: http://tinyflashlight.com/
Developer Location: Unknown
#4 https://lh3.ggpht.com/55rHV8Yd3IExlM-jWf0ToFvsdiD-Ej2s52GXVKPaBMP-LjbAXl_07sqtzzScWxL2Vg=w300
Flashlight
Mobile Apps Inc
4.6Mb install size
between 1-5m installs
Privacy risks:
take pictures and videos
read Home settings and shortcuts
write Home settings and shortcuts
view network connections
full network access
disable your screen lock
prevent device from sleeping
install shortcuts
uninstall shortcuts
Developer Email: ay678890@gmail.com
Developer Website: Unknown
Developer Location: Unknown
#5 https://lh4.ggpht.com/jvPHDAvuFi4Z1am2d8I4SC4aMtpzisgrwAgtuzmumTPJD-WToSMSITbr41KDm5Gzd3Kv=w300
Flashlight
Crazy Softech
2.3Mb install size
between 100k – 500k installs
Privacy risks:
take pictures and videos
read phone status and identity
view network connections
full network access
read Google service configuration
Developer Email: sureshkumar996633@gmail.com
Developer Website: http://www.crazysoftech.com/
Developer Location: India
Located in Begumpet, Hyderabad
Andhrapradesh, India 500016
#6 https://lh5.ggpht.com/uP5COFQZiy6XTrMZbF_WwvDEUM4uAtTOorMW7WOoEVN15SY-r0sVc6FLdLHXyq5Ren0=w300
Brightest LED Flashlight
Intellectual Flame Co., Ltd.
6.0Mb install size
between 10-50m installs
Privacy risks:
retrieve running apps
modify or delete the contents of your USB storage
test access to protected storage
take pictures and videos
view Wi-Fi connections
read phone status and identity
receive data from Internet
control flashlight
change system display settings
modify system settings
prevent device from sleeping
view network connections
full network access
Developer Email: contact.android.if@gmail.com
Developer Website: http://d31e8vei1l16lv.cloudfront.net/websupport/index.htm
Developer Location: Unknown
#7 https://lh3.ggpht.com/65TascoxYOOHS2Wg4r__VcF1h2fS2dFEm8IcIebQlUZZ5XCxm3 F6pk4OXDoKe0h1-X8=w300
Color Flashlight
Notes
1.4Mb install size
between 10-50m installs
Privacy risks:
take pictures and videos
full network access
view network connections
control flashlight
Developer Email: flashlightsupport@socialnmobile.com
Developer Website: http://blog.socialnmobile.com/
Developer Location: Unknown
#8 https://lh5.ggpht.com/2zgUxyePBUvTo_Znbos5r8n1C5Qb3n8INQ-IIuVSbL5UEdIE4-7iZrtPyipAE-MHdgIR=w300
High-Powered Flashlight
iHandy Inc.
4.7M install size
between 5-10m installs
Privacy risks:
retrieve running apps
approximate location (network-based)
precise location (GPS and network-based)
modify or delete the contents of your USB storage
test access to protected storage
take pictures and videos
view Wi-Fi connections
read phone status and identity
receive data from Internet
control flashlight
change system display settings
modify system settings
view network connections
full network access
prevent device from sleeping
Developer Email: android@ihandysoft.com
Developer Website: http://www.ihandysoft.com/
Developer Location: Unknown
#9 https://lh5.ggpht.com/X-5qNJ5l2g_urCNFiBNMLt7PD7xnqrY4zY8UoD0ey4VGpK5DcnFs wYYZVQKI9MOh7XY=w300
Flashlight HD LED
smallte.ch
5.4Mb install size
between 50-100m installs
Privacy risks:
take pictures and videos
view Wi-Fi connections
full network access
view network connections
read Google service configuration
control flashlight
prevent device from sleeping
Developer Email: Unknown
Developer Website: http://www.smallte.ch/
Developer Location: support@smallte.ch
#10 https://lh6.ggpht.com/ZezDP_hMm8m2s6pTv5D0ugGAkNFcs7B3BK3qfxlD4iYbcO8_wy iplNIioJ4O6alLAco=w300
Flashlight: LED Torch Light
Mobile Apps Inc
Privacy risks:
take pictures and videos
read Home settings and shortcuts
write Home settings and shortcuts
view network connections
full network access
disable your screen lock
prevent device from sleeping
install shortcuts
uninstall shortcuts
Developer Email: ay678890@gmail.com
Developer Website: Unknown
Developer Location: Unknown
THREAT REPORT RECOMMENDATIONS
We’ve come up with a list of what we think are best practices for increasing privacy and security on your device without spending any money. This is based on SnoopWall’s counterveillance research for improving your privacy from eavesdroppers and helping you from getting infected with spyware that could cost you your identity. They are:
Disable your GPS at all time except in an emergency or when you need to use your smartphone for navigation purposes;
Disable your NFC (Near Field Communications) or on Apple devices, iBeacon, permanently (http://support.apple.com/kb/HT6048);
Disable Bluetooth at all times except when you are in your car, driving, if you want to have hands-free calls, if supported by your car;
Verify Apps behavior and privacy risk BEFORE installing – do some research and ask the questions “why does this app need GPS, MICROPHONE, WEBCAM, CONTACTS, etc.?” – most apps don’t need these ports unless they want to invade your privacy. Find an alternative before installing risky Apps;
Either put masking tape over your webcam and microphone when not in use or pull the battery out of your smartphone when you are not using it.
Obviously for #1, there’s no need for geolocating you, unless you don’t mind being spied upon by these malicious flashlight apps – or worse – your children’s location being monitored by online predators. Best to keep this hardware port disabled until you really need it.
For #2, you’re probably wondering “what the heck is NFC and why should I care?”. We’ll it’s a new protocol for ‘bumping’ or getting close to other devices, within 3 meters or so, to exchange information such as photos and contacts. Is it secure? No. Can it be hacked just like Bluetooth? Yes. Go into your device settings, find NFC, if you see it, disable it.
Ok, for #3, you’re thinking ‘that makes sense’ – Bluetooth is an easily hacked protocol and folks can eavesdrop on communications over Bluetooth; broadcast into your earpiece (yes, it’s been done); access your contacts list and hack your smartphone device over Bluetooth. So, if you disable this protocol everywhere except when you are in the car, wanting a hands free experience for making and receiving calls, you should be much more secure.
For #4, how many times do you install an app with excitement about promised features and functions, only to find that it requires incredible privacy risk? If it’s too good to be true it probably is and nothing in this world is free. There are 9 major advertisement networks and some deploy spyware. Free apps use these networks to monetize their businesses and some are developed by professional cyber criminals, enemy nation states for spying or by hackers for malicious reasons.
We really don’t like making recommendation #5 but until you try out our SnoopWall product, there’s really nothing you can do to block webcam and microphone eavesdropping, so why not make it hard for the bad guys to see or hear anything useful?
SOLUTION
Because some of the Flashlight Apps write settings and have access to your device storage, it may be to install additional backdoors or remote access Trojans (RATs), therefore you might need to reset your phone completely after an uninstall of your favorite Flashlight App. Some might even wish to go to FACTORY RESET or a WIPE. Once you’ve cleaned off the Flashlight RAT, you might still want a flashlight app on your phone that you can trust.
WARNING:Don’t reset or wipe without backing up ONLY those contacts and files you are certain to trust. If you do a complete device backup and restore, you risk also restoring malware. Ask a friend who is an expert with your kind of phone or the staff at the store you purchased your smartphone or tablet on how to do this the right way.
We developed the SnoopWall Privacy Flashlight for Google Android, Apple iOS and Microsoft Windows smartphones and tablets. The file size of the SnoopWall Privacy Flashlight application is approximately 72 kilobytes. It only accesses the light of the webcam and the screen display which is all a flashlight app should be doing anyway. Get it today at: http://privacyflashlight.snoopwall.com
We’ve also developed another free application called Privacy App which will scan your Android or Windows device and show you which apps are spying on you. If you have suspicions, confirm them with Privacy App. Learn more about our technology and products at: http://www.snoopwall.com/products/
THREAT ASSESSMENT REPORT
Summarized Privacy and Risk Analysis of Top 10 Android Flashlight Apps
by SnoopWall mobile security experts and the Privacy App scanner
October 1, 2014
Summary: We tested and installed the Top 10 Android Flashlight Apps on various smartphones and tablets. Windows and Apple iOS flashlights behave in a similar fashion, however, more restricted in their spying capabilities due to the hardened OS features of Windows 8.1RT and Apple iOS 7 & 8.
All of the applications below appear to obtain access and information way beyond the needs of a Flashlight. Some appear specifically designed to collect and expose your personal information to cybercriminals or other nation states. In addition, you are at significant risk if you are doing Mobile Banking on the same device as one of these free Flashlight Apps.
Our strong recommendation is to uninstall your flashlight app immediately.download-pdf-button
#1 https://lh6.ggpht.com/POKqqdaXjDqk-84U-3PjIRip78I_As54FGYMFKVu-T3t0OxuXdV7oslBIJjpXCEkQA8n=w300
Super-Bright LED Flashlight
Surpax Technology Inc.
Developer website link on
google play store leads to
driveby malware
4.9Mb install size
between 100m – 500m installs
Privacy risks:
retrieve running apps
modify or delete the contents of your USB storage
test access to protected storage
take pictures and videos
view Wi-Fi connections
read phone status and identity
receive data from Internet
control flashlight
change system display settings
modify system settings
prevent device from sleeping
view network connections
full network access
Developer Email: contact.android.surpax@gmail.com
Developer Website: MALWARE – DO NOT VISIT GOOGLE PLAY LINK
Developer Location: Unknown
#2 https://lh6.ggpht.com/oxdTH6PDCgkz-6TkodfJc6fK3-xFsz_voyqslO2blEbAP0pow8R32KlS4sTPWS4j3A=w300
Brightest Flashlight Free
GoldenShores Technologies, LLC
between100m – 500m installs
settled with FTC for privacy breaches
1.2Mb install size
Privacy risks:
approximate location (network-based)
precise location (GPS and network-based)
modify or delete the contents of your USB storage
test access to protected storage
take pictures and videos
view Wi-Fi connections
read phone status and identity
disable or modify status bar
read Home settings and shortcuts
control flashlight
prevent device from sleeping
view network connections
full network access
install shortcuts
uninstall shortcuts
Developer Email: BrightestFlashlightFree@gmail.com
Developer Website: http://www.goldenshorestechnologies.com/
Developer Location: Unknown
Lawsuit by FTC.gov: http://www.ftc.gov/news-events/press-releases/2014/04/ftc-approves-final-order-settling-charges-against-flashlight-app
#3 https://lh5.ggpht.com/4_-A8zC_-lzo1USVbGgq1lVMlS0jNUPFOR-n5dj1QsRS-O2vZOLEjRLy8c_0zdU3ELQD=w300
Tiny Flashlight + LED
Nikolay Ananie
1Mb install size
between 100m – 500m installs
Privacy risks:
take pictures and videos
control flashlight
prevent device from sleeping
control vibration
full network access
view network connections
Developer Email: support@tinyflashlight.com
Developer Website: http://tinyflashlight.com/
Developer Location: Unknown
#4 https://lh3.ggpht.com/55rHV8Yd3IExlM-jWf0ToFvsdiD-Ej2s52GXVKPaBMP-LjbAXl_07sqtzzScWxL2Vg=w300
Flashlight
Mobile Apps Inc
4.6Mb install size
between 1-5m installs
Privacy risks:
take pictures and videos
read Home settings and shortcuts
write Home settings and shortcuts
view network connections
full network access
disable your screen lock
prevent device from sleeping
install shortcuts
uninstall shortcuts
Developer Email: ay678890@gmail.com
Developer Website: Unknown
Developer Location: Unknown
#5 https://lh4.ggpht.com/jvPHDAvuFi4Z1am2d8I4SC4aMtpzisgrwAgtuzmumTPJD-WToSMSITbr41KDm5Gzd3Kv=w300
Flashlight
Crazy Softech
2.3Mb install size
between 100k – 500k installs
Privacy risks:
take pictures and videos
read phone status and identity
view network connections
full network access
read Google service configuration
Developer Email: sureshkumar996633@gmail.com
Developer Website: http://www.crazysoftech.com/
Developer Location: India
Located in Begumpet, Hyderabad
Andhrapradesh, India 500016
#6 https://lh5.ggpht.com/uP5COFQZiy6XTrMZbF_WwvDEUM4uAtTOorMW7WOoEVN15SY-r0sVc6FLdLHXyq5Ren0=w300
Brightest LED Flashlight
Intellectual Flame Co., Ltd.
6.0Mb install size
between 10-50m installs
Privacy risks:
retrieve running apps
modify or delete the contents of your USB storage
test access to protected storage
take pictures and videos
view Wi-Fi connections
read phone status and identity
receive data from Internet
control flashlight
change system display settings
modify system settings
prevent device from sleeping
view network connections
full network access
Developer Email: contact.android.if@gmail.com
Developer Website: http://d31e8vei1l16lv.cloudfront.net/websupport/index.htm
Developer Location: Unknown
#7 https://lh3.ggpht.com/65TascoxYOOHS2Wg4r__VcF1h2fS2dFEm8IcIebQlUZZ5XCxm3 F6pk4OXDoKe0h1-X8=w300
Color Flashlight
Notes
1.4Mb install size
between 10-50m installs
Privacy risks:
take pictures and videos
full network access
view network connections
control flashlight
Developer Email: flashlightsupport@socialnmobile.com
Developer Website: http://blog.socialnmobile.com/
Developer Location: Unknown
#8 https://lh5.ggpht.com/2zgUxyePBUvTo_Znbos5r8n1C5Qb3n8INQ-IIuVSbL5UEdIE4-7iZrtPyipAE-MHdgIR=w300
High-Powered Flashlight
iHandy Inc.
4.7M install size
between 5-10m installs
Privacy risks:
retrieve running apps
approximate location (network-based)
precise location (GPS and network-based)
modify or delete the contents of your USB storage
test access to protected storage
take pictures and videos
view Wi-Fi connections
read phone status and identity
receive data from Internet
control flashlight
change system display settings
modify system settings
view network connections
full network access
prevent device from sleeping
Developer Email: android@ihandysoft.com
Developer Website: http://www.ihandysoft.com/
Developer Location: Unknown
#9 https://lh5.ggpht.com/X-5qNJ5l2g_urCNFiBNMLt7PD7xnqrY4zY8UoD0ey4VGpK5DcnFs wYYZVQKI9MOh7XY=w300
Flashlight HD LED
smallte.ch
5.4Mb install size
between 50-100m installs
Privacy risks:
take pictures and videos
view Wi-Fi connections
full network access
view network connections
read Google service configuration
control flashlight
prevent device from sleeping
Developer Email: Unknown
Developer Website: http://www.smallte.ch/
Developer Location: support@smallte.ch
#10 https://lh6.ggpht.com/ZezDP_hMm8m2s6pTv5D0ugGAkNFcs7B3BK3qfxlD4iYbcO8_wy iplNIioJ4O6alLAco=w300
Flashlight: LED Torch Light
Mobile Apps Inc
Privacy risks:
take pictures and videos
read Home settings and shortcuts
write Home settings and shortcuts
view network connections
full network access
disable your screen lock
prevent device from sleeping
install shortcuts
uninstall shortcuts
Developer Email: ay678890@gmail.com
Developer Website: Unknown
Developer Location: Unknown
THREAT REPORT RECOMMENDATIONS
We’ve come up with a list of what we think are best practices for increasing privacy and security on your device without spending any money. This is based on SnoopWall’s counterveillance research for improving your privacy from eavesdroppers and helping you from getting infected with spyware that could cost you your identity. They are:
Disable your GPS at all time except in an emergency or when you need to use your smartphone for navigation purposes;
Disable your NFC (Near Field Communications) or on Apple devices, iBeacon, permanently (http://support.apple.com/kb/HT6048);
Disable Bluetooth at all times except when you are in your car, driving, if you want to have hands-free calls, if supported by your car;
Verify Apps behavior and privacy risk BEFORE installing – do some research and ask the questions “why does this app need GPS, MICROPHONE, WEBCAM, CONTACTS, etc.?” – most apps don’t need these ports unless they want to invade your privacy. Find an alternative before installing risky Apps;
Either put masking tape over your webcam and microphone when not in use or pull the battery out of your smartphone when you are not using it.
Obviously for #1, there’s no need for geolocating you, unless you don’t mind being spied upon by these malicious flashlight apps – or worse – your children’s location being monitored by online predators. Best to keep this hardware port disabled until you really need it.
For #2, you’re probably wondering “what the heck is NFC and why should I care?”. We’ll it’s a new protocol for ‘bumping’ or getting close to other devices, within 3 meters or so, to exchange information such as photos and contacts. Is it secure? No. Can it be hacked just like Bluetooth? Yes. Go into your device settings, find NFC, if you see it, disable it.
Ok, for #3, you’re thinking ‘that makes sense’ – Bluetooth is an easily hacked protocol and folks can eavesdrop on communications over Bluetooth; broadcast into your earpiece (yes, it’s been done); access your contacts list and hack your smartphone device over Bluetooth. So, if you disable this protocol everywhere except when you are in the car, wanting a hands free experience for making and receiving calls, you should be much more secure.
For #4, how many times do you install an app with excitement about promised features and functions, only to find that it requires incredible privacy risk? If it’s too good to be true it probably is and nothing in this world is free. There are 9 major advertisement networks and some deploy spyware. Free apps use these networks to monetize their businesses and some are developed by professional cyber criminals, enemy nation states for spying or by hackers for malicious reasons.
We really don’t like making recommendation #5 but until you try out our SnoopWall product, there’s really nothing you can do to block webcam and microphone eavesdropping, so why not make it hard for the bad guys to see or hear anything useful?
SOLUTION
Because some of the Flashlight Apps write settings and have access to your device storage, it may be to install additional backdoors or remote access Trojans (RATs), therefore you might need to reset your phone completely after an uninstall of your favorite Flashlight App. Some might even wish to go to FACTORY RESET or a WIPE. Once you’ve cleaned off the Flashlight RAT, you might still want a flashlight app on your phone that you can trust.
WARNING:Don’t reset or wipe without backing up ONLY those contacts and files you are certain to trust. If you do a complete device backup and restore, you risk also restoring malware. Ask a friend who is an expert with your kind of phone or the staff at the store you purchased your smartphone or tablet on how to do this the right way.
We developed the SnoopWall Privacy Flashlight for Google Android, Apple iOS and Microsoft Windows smartphones and tablets. The file size of the SnoopWall Privacy Flashlight application is approximately 72 kilobytes. It only accesses the light of the webcam and the screen display which is all a flashlight app should be doing anyway. Get it today at: http://privacyflashlight.snoopwall.com
We’ve also developed another free application called Privacy App which will scan your Android or Windows device and show you which apps are spying on you. If you have suspicions, confirm them with Privacy App. Learn more about our technology and products at: http://www.snoopwall.com/products/