Many top games on Google’s Play Store, with millions of global downloads, want permission for full network access and this can be a major security hazard, warned software security specialist AppRiver.
Almost all apps wanted permission to, for instance, control near field communication, run at startup and control a device’s flashlight.
Some wanted access to a user’s precise location. This is understandable for games like Pokemon Go but not others like Mobile Strike and Game of War, the study argued.
If such data gets into the hands of hackers, they can create “tailored scams that will spoof even the most security savvy individuals,” the study warned.
Even if users check the fine print on installation, all apps include a disclaimer that says that updates can automatically “add additional capabilities”.
This means that, even if users read the terms and conditions and agree to them, they can be changed without their knowledge.
Troy Gill, manager of security research at AppRiver, said: “With the constant evolution of IT security enhancements, many of the virtual ways in are being systematically sealed with criminals looking for new ways to socially engineer their attacks and liberate the funds. What better way than collecting information that is given voluntarily?”
The study also pointed out that popular app PewDiePie’s Tuber Simulator, which has racked up millions of downloads in recent weeks, demands 15 permissions, including ‘full network access’.
Rolling Sky demands 13 permissions including the ability to ‘read the contents of and modify or delete the contents of USB storage’ while Shuffle Cats has the ability to prevent the device from sleeping.
The report said that criminals are also collecting information from social network sites such as Facebook and LinkedIn to launch targeted attacks.
It warned that organisations must introduce effective safeguards that prevent apps from accessing company networks and data and educate employees to fully comprehend the potential hazards.
“It’s unlikely that everyone is going to start carefully reading terms and conditions, but knowing this information might be used against them could encourage workers to be more vigilant when clicking yes”, the report noted.
While this research looked specifically at Google Play Store’s ranked apps, those listed in Apple’s iTunes and Amazon’s Appstore all ask for the same permissions, AppRiver said.