Stop Using These Android Apps Until You Check Their Permissions
A flashlight app asking for your contacts list should worry you more than it probably does.
Somewhere on your phone right now, there's an app you downloaded for one simple reason — maybe it scans documents, maybe it edits photos, maybe it's just a calculator with a nicer interface — and somewhere along the way, it asked for permissions that have absolutely nothing to do with what it actually does. Most people tap "Allow" without reading it. Then they forget the app even exists, except for the part of it that's still running quietly in the background.
This isn't a paranoia piece. It's based on something that's been happening at a genuinely uncomfortable scale.
This Already Happened — More Than Once, More Than You'd Expect
In one recent sweep, security researchers uncovered 224 apps on the Google Play Store that had been downloaded more than 38 million times combined. They weren't fake apps pretending to do something — many of them worked exactly as advertised. That was the trick. The malicious part ran quietly underneath, generating billions of fraudulent ad requests a day and, in some cases, fetching additional malicious code only after installation, specifically so it would slip past Google's review process.
Separately, researchers found a banking trojan called Anatsa hiding inside apps disguised as something boring and trustworthy — document readers, file managers, the kind of utility you install and forget about. Once installed, Anatsa abuses something called Accessibility permissions to quietly grant itself far more access than it was ever supposed to have, then goes looking for banking and crypto app credentials. It has expanded its target list to over 800 financial apps.
And it isn't a one-off. Google itself reported blocking more than 1.75 million policy-violating apps from ever reaching the Play Store in a single year, and stopped over 255,000 apps from gaining excessive access to sensitive user data. That number alone should tell you this isn't a rare edge case. It's a constant, ongoing problem that the official app store is fighting in real time — not a solved one.
Why "It's on the Play Store" Doesn't Mean "It's Safe"
This is the assumption that gets people. The Play Store is safer than installing random APKs off the internet — that part is true. But safer isn't the same as safe.
The apps in that 38-million-install case were sitting in the official store, passing review, looking completely normal. Some only revealed their true behavior after a user installed them through a specific ad, receiving hidden files disguised as ordinary images that were secretly reassembled into the real malicious payload. Static review can't easily catch something designed to look harmless until it's already on your device.
So the review process matters, and it does catch a huge amount — but it isn't a guarantee. The permission screen on your own phone is the last line of defense that's actually still in your hands.
The Permission Mismatch Test
Here's the one question that catches almost everything dangerous, and you don't need to be technical to ask it: does this permission make sense for what the app actually does?
A flashlight app needs your camera flash. It does not need your contacts, your microphone, or access to your text messages. A photo editor needs access to your photos. It doesn't need to read your SMS messages or know your call log. The moment a permission request stops matching the app's actual job, that's the moment to stop and think — not tap Allow out of habit.
This is exactly the pattern behind the Joker malware family, which alone showed up in close to a quarter of the apps removed in that 38-million-install sweep. Once installed, it can read and send text messages, take screenshots, access your contacts, and quietly subscribe you to premium paid services you never agreed to — all running in the background while the app itself looks completely normal on the surface.
The Second Red Flag: Permissions That Show Up Later
It's not just about what an app asks for on day one. Pay attention to what it starts asking for after an update.
An app that launched needing only storage access and suddenly wants accessibility permissions, or location tracking, or the ability to draw over other apps, has changed its behavior — and not always for an innocent reason. Accessibility permissions in particular are worth treating with real suspicion, because they're powerful enough to let an app see what's on your screen and act on your behalf. That's exactly the access Anatsa abuses to auto-grant itself everything else it wants.
If an update suddenly asks for something the app never needed before, that's not routine maintenance. That's a question worth answering before you tap through it.
How to Actually Check — Takes About Two Minutes
You don't need a security app to do a basic audit of what's already on your phone. Go to Settings → Apps → [select an app] → Permissions. You'll see exactly what that app currently has access to — location, camera, microphone, contacts, SMS, all of it, listed plainly.
For a faster, store-wide view, go to Settings → Privacy → Permission Manager. This flips the view around — instead of going app by app, it shows you every app that has access to a specific permission, like location or microphone. It takes about ninety seconds to scroll through and spot something that doesn't belong.
While you're in there, look at Settings → Security & Privacy → Google Play Protect too, and make sure it's switched on. It's Android's built-in scanner, running quietly in the background, and Google reports it now scans over 350 billion apps a day across the entire Android ecosystem — but it works far better as a safety net underneath your own checking, not as a replacement for it.
What To Actually Do With What You Find
If you find an app with access that makes no sense for what it does, you have two real options: revoke the specific permission, or uninstall the app entirely if it's something you barely use anyway. Most people are carrying around five or six apps they installed once, used twice, and forgot about completely — each one a small open door sitting quietly on their phone.
You don't need to do this every day. Once every couple of months, treat it like checking the batteries in a smoke detector — a small, boring task that matters a lot more than it feels like in the moment.
Also read: Why Google, Open AI and SpaceX are building their own AI chips
