If These Apps Are Still on Your Phone, Someone May Be Spying on You
Some of the most popular apps you love and have come to rely on could be posing more of a danger than they're worth. Here's what you need to know.
There’s an app for that…but should you use it?
We all love our cellphones and the millions of ways they connect us and make our lives easier. But some of those apps that you love and have come to rely on could actually be putting you at risk. While it’s easy to forget about the need for privacy in a world where everyone airs everything online, it’s important to remember that it takes very little information for someone to steal your identity and even hack into your banking accounts. We’ve collected information about some of the worst offenders so that you can make an educated decision about which apps you trust with your privacy and which ones need to go. The bad ones are likely guilty of one these top mobile phone security threats.
You can save yourself a whole lot of heartache if you take some simple steps before ever downloading any apps at all, says Caleb Barlow, former VP of IBM Security and current CEO and president of CynergisTek. “Only get mobile applications from the legit stores,” he explains, referring to GooglePlay and the Apple store. And once you’ve found legitimate apps you want to download, “be religious about permissions and check on application permissions on a regular basis. Turn off permissions that are not required for the application to work properly.” Here’s how to put a lock on apps just in case someone gets ahold of your phone physically, too.
It’s also a good idea to do a little research first. Barlow recommends checking how many reviews an app has before downloading it. Ideally, anything you add to your phone will have already been used and reviewed by thousands of other people.
Ana Bera is a cybersecurity expert with Safe at Last. She identified CamScanner, an app meant to imitate a scanner with your phone, as one of the apps consumers should be concerned about. “Cybersecurity experts have found a malicious component installed in the app that acts as a Trojan Downloader and keeps collecting infected files,” she explains. “This kind of app can seriously damage your phone and should be de-installed instantly. Luckily, once you remove it from your phone, it is highly unlikely that it will continue harming you.”
While there are safer alternatives that perform the same functions as CamScanner, Bera says that “the app is only an imitation of a real scanner, which means that you can always go back to the traditional machine.”
“Check your weather app,” says Shayne Sherman, CEO of TechLoris. “There have been several different weather apps out there that have been laced with Trojans or other malwares.” While the most benign of these claims to take your information purely for weather accuracy, he calls that questionable. “Watch your local forecast instead, and if you have Good Weather, delete it now,” he advises. “That one is especially dangerous.”
Look, we all love our social networking apps. But cybersecurity expert Raffi Jafari, cofounder and creative director of Caveni Digital Solutions, says, “If you are looking for apps to delete to protect your information, the absolute worst culprit is Facebook. The sheer scale of their data collection is staggering, and it is often more intrusive than companies like Google. If you had to pick one app to remove to protect your data, it would be Facebook.”
Unfortunately, Jafari says that Facebook is “notorious for collecting data on you even if you do not use their service. But removing Facebook-powered applications from your phone is a great first step to protecting your privacy.” Here’s how to stop sharing location on an iPhone, for a second step!
“This is a call to action for users who may be living under a rock and unaware of the vulnerabilities that were disclosed earlier this year,” says Michael Covington, VP of Product for mobile security leader Wandera. “The vulnerabilities with WhatsApp—both iOS and Android versions—allowed attackers to target users by simply sending a specially crafted message to their phone number. Once successfully exploited, the attackers would be granted access to the same things WhatsApp had access to, including the microphone, the camera, the contact list, and more.”
Yes, that means attackers had the ability to do a lot of scary spying. “This was one of the most widespread issues I’ve seen impacting mobile devices, and we continue to see out-of-date versions on enterprise devices,” Covington says. Luckily, this one is easy to remove: Simply update the app to the latest version. At the time of writing, the latest version for Android is 2.19.339 and the latest version for iOS is 2.19.112. If you’ve already caught yourself wondering “is Whatsapp safe?” you’ve got good instincts.
Whatsapp and Instagram are both owned by Facebook, which is part of what makes them all a risk. Dave Salisbury, director of the University of Dayton Center for Cybersecurity and Data Intelligence, says that Instagram “requests several permissions that include but are not limited to modifying and reading contacts and the contents of your storage, locating your phone, reading your call log, modifying system settings, and having full network access.”
Even more worrisome, updates may automatically add additional capabilities. “People need to remember that at Facebook, and plenty of other places, you’re the product, not the customer,” Salisbury says. “Information about you, what you do, where you go, who you interact with, etc., is valuable. If you’re OK with giving that up for some free services, that’s a valid choice. What I’d hope is that people actually think through the choice in an informed way and make sure they’re getting as much as they’re giving.”
Since Messenger is a separate Facebook app, Attila Tomaschek, digital privacy expert at ProPrivacy, feels that it’s important to address as well. “Deleting Facebook Messenger is a no-brainer, based upon the company’s frighteningly lax approach to protecting user privacy,” Tomaschek says. “The messages you send and receive using the Facebook Messenger app are not encrypted, meaning that all your messages are plainly viewable to any Facebook employee with the appropriate permissions.”
While the company is planning to roll out a “Secret Conversation” mode that will offer encryption, it won’t be the default option and won’t be available for the calling feature. “What’s more, the app automatically scans any links or photos you send, and if any suspicious content is flagged by the algorithm, your messages will be read by moderators employed by the company,” Tomaschek adds. “Basically, if you don’t want your personal data to be subject to Facebook’s flimsy data-privacy practices and you don’t want anyone potentially eavesdropping on your private messages, then it’s best to cut your losses, delete the app, and look elsewhere.”
If you’re looking for an alternate private messaging app, Tomaschek recommends the secure messaging app Signal. “Your messages in Signal are secured by the app’s proprietary encryption protocol, which many consider being the most secure messaging protocol available today,” he says. “In fact, Edward Snowden has even endorsed Signal as a secure messaging app.”
We bet you didn’t see this one coming. “Free flashlight apps are often of high cybersecurity risks,” says Harold Li, vice president of ExpressVPN, a consumer privacy and security company. “Many of these apps are free but ad-supported, and they often request permissions, such as audio recording and contact information, to apparently function properly. When users install these apps, they risk sharing their personal data with app developers who monetize the data by selling them to advertisers.”
Li recommends removing these apps entirely. Then he recommends updating your passwords for any social media or email accounts you use on your phone. You can also write to these companies and request to have all your data deleted. Under certain countries and states’ laws, consumers have the right to the erasure of all their data.
While Li couldn’t recommend any safe alternatives, he did say this: “It’s 2019, and most phones already come with a built-in flashlight function, so you really don’t need to install another free app that could be collecting and selling your data.”
“When Snowden blew the whistle on the NSA and exposed the agency’s surveillance tactics, he mentioned the Angry Birds app specifically as one that the NSA was using to siphon the personal data of its users,” says Tomaschek. “The app was leaking personal data like users’ phone numbers, call logs, home country, current location, and even marital status, and the NSA was gobbling it up without any misgivings whatsoever.”
If you have this game installed on your phone, Tomaschek says the best thing you can do is delete it. But, he adds, “Angry Birds app developers have since evidently patched the vulnerability that allowed for the information to be leaked. So, if you take the developers’ word for it and simply can’t resist indulging in slingshotting birds across your phone screen, then at the very least update to the latest version of the app.”
Even if you’re zombie-obsessed, you’ll want to skip Zombie Mod. Covington says, “This game attempted to collect a tremendous amount of personal data from users’ Google accounts, including Gmail usernames and passwords, while also attempting to profit from aggressive advertisements that, in some cases, bricked the device and forced the user to reset and start from scratch.” That’s no small issue.
Plus, adds Covington, “this one game impacted over 50,000 Android users and is part of a family of mod games that are all based on the same code foundation. We recommend users take a close look at the games they have on their devices and remove the ones that are not actively being played or that provide a negative user experience.”
Unfortunately, Zombie Mod may be trickier for consumers to uninstall. “They should start by locating and deleting the original Scary Granny Zombie Mod app,” says Covington. “More important than removing the app, we recommend that any user who has been fooled into installing the game also change their Google account password.” You know what needs to be done!
“The popular and convenient DoorDash app was featured in a Washington Post investigation earlier this spring, which revealed the alarming amount of personal data that the app tracks and shares with other entities,” says Tomaschek. “The investigation revealed that when you open the app, you are sending your data to nine separate third-party trackers. This data includes information like your name, email address, and physical address, along with the make and model of your phone. Furthermore, Facebook and Google ad trackers are also being used by the app, which means that the two tech giants know every single time you open the app.”
Tomaschek recommends deleting the app altogether, but that doesn’t mean it’ll be the last you hear of it. “Unfortunately, some apps can employ ‘uninstall trackers,’ which basically alert the app developer if the tracker detects that a user has uninstalled the app,” he explains. “While the app won’t be able to track you or collect your data any longer, you may notice advertisements popping up all over the place on your phone for the app you deleted, attempting to entice you to download it again.” Here’s how to tell if your iPhone is hacked.
We love our kids, and our kids love our phones. And there can be times when allowing them to play a game can be an incredibly helpful distraction. But you should “be very cautious about children’s games and apps that have little or no reviews,” says Barlow. “[Also], with children’s apps, be wary of anything that stores video and audio content. This stuff lasts forever.”
Tinder and Grindr both collect over 50 percent of your personal data (Facebook takes the cake at 70 percent), according to cybersecurity firm Clairo. Think about it: they get names, email addresses, phone numbers, employment, and even pet ownership statuses, beyond the obvious location and age data. In 2020, five different dating apps experienced data breaches, leaking information from millions of profiles, putting users at risk of phishing, phone scams, and identity theft. Here are some iPhone privacy settings you can check right now to get ahead of the curve.
Ring doorbell app
Ring doorbell users think that they’re the spies, but the app does even more lurking in their phones. An investigation by the Electronic Frontier Foundation found the Android app is packed with third-party trackers that disseminate names, IP addresses, mobile network carriers, persistent identifiers, and sensor data to four marketing and analytic companies.
Every app, every time
We hate to break the news to you, but all apps come with some degree of risk. And regardless of the app, Salisbury recommends that users always review permissions, disable location services when possible (though some apps won’t work without it), and turn off geotagging for pictures. “With this location and geotagging data, marketers and perhaps less savory people can build a pretty decent profile of where you’ve gone and when. Privacy implications should be obvious,” Salisbury says. “Disable permissions if you aren’t comfortable with the app having that kind of access to your phone data or can’t think of a reason why that app needs that permission. If it’s not an option to disable the permission, uninstall the app.” In the meantime, here are the most secure messaging apps for iPhones and Androids.
- Caleb Barlow, former VP of IBM Security and current CEO and president of CynergesTek
- Ana Bera, cybersecurity expert at Safe at Last
- Shayne Sherman, CEO of TechLoris
- Raffi Jafari, cofounder and creative director of Caveni Digital Solutions
- Michael Covington, VP of Product, Wandera
- Dave Salisbury, director of the University of Dayton Center for Cybersecurity and Data Intelligence
- Attila Tomaschek, digital privacy expert at ProPrivacy
- Harold Li, vice president of ExpressVPN
- Clairo: “Which Company Uses the Most of Your Data?”
- WizCase: “Data Breach: Millions of Dating App Records, Messages, and User Profiles Exposed in Data Leak”
- Electronic Frontier Foundation: “Ring Doorbell App Packed with Third-Party Trackers”