Free Smartphone Apps Can Have Hidden Privacy Risks

“The percentage of apps that are malicious is vanishingly low,” says Pargman, adding that they are virtually absent from Apple’s App Store but may be more coming from Google Play Store because of an easier process for posting apps.

Still, apps considered to be malware are available, and users must be careful, he says. Nearly 2 percent of the top 1,000 grossing apps in the App Store were scams, stealing $48 million from customers, The Washington Post reported in June 2021.

Another study from October 2020 led by researchers with NortonLifelock Research Group found that up to a quarter of Android users downloaded what the study called “unwanted” apps, a category that includes malicious software designed to damage a phone or give someone unauthorized access. Most malevolent apps come from sources outside of the Play store, the study said.

In November 2022, a similar research group, California-based Malwarebytes Labs, discovered four Google Play apps with more than a million downloads that triggered pay-per-click and phishing sites to open in an Android phone’s Chrome browser. But the outrageous activity began only after a delay of several days from opening the app, so users had difficulty tracing the reason for their phone’s behavior.

The sources for most dangerous apps are spam texts that take you outside app stores, Pargman says.

“It’s always risky to click on links from texts and email,” says Kathy Stokes, who runs the AARP Fraud Watch Network. “Even when you believe you know the sender, we recommend going to the web address or your app to access the resource, rather than risking the click.”

Privacy, effectiveness is a trade-off

An overwhelming majority of Americans say they’re concerned about the safety and privacy of personal data they provide on the internet, according to an April 2022 Ipsos poll. But behavior might say otherwise.

When you add an app to your phone, you give up some of your right to be left alone. You give away more rights with some apps than others.

A weather app or a mapping app will need to know where you are. Others ask users for access to their phone contacts, photos and other information. Many people give up that information without thinking twice.

Why do this? For starters, apps are cool, useful, helpful, fun. They offer connectedness and convenience. You want to order and pay for a grocery delivery from your phone, and for this convenience, this incredible time savings, you agree to let a computer track your browsing history.

Is that so bad? We grumble and then accept. Trade-offs are the name of the game.

If you’re not happy about that, you must take steps:

• Do what almost nobody does and read the fine print.
• Read the privacy policies and the user agreements.
• Don’t install without reading reviews and maybe even find out who owns the app.

Cybercrime expert Troy Hunt suggests keeping in mind the idea of “data minimization” if you want to hang on to as much privacy as possible. He recalls how the Google Play Store was offering free flashlight and fart generator apps, which required excessive permissions to use.

“How do we give just enough information to perform the task we’re using the app for?” says Hunt, a Microsoft regional director in Australia who has testified about cybercrime before the U.S. Congress. “With a weather app, sharing your geo location is relevant and useful. But sharing your contact data is excessive, not minimization.”

This story, originally published Sept. 1, 2021, has been updated to reflect fresh research.