Flashlight App Tricks Millions Into Handing Over Data


A seemingly harmless flashlight application built for Android has tricked tens of millions of users into handing over personal data, the Federal Trade Commission has revealed. Developed by GoldenShores Technologies, the Brightest Flashlight app took device ID and location data without informing users, then passed it on to advertisers.

Google’s “open” Play Store approach allows just about anyone to submit Android applications, and none of them are approved before being published. This has its advantages, but there are downsides, too.

In some cases, you may pay for apps that don’t work properly, or aren’t compatible with your device. But at worst you’ll download what looks like an innocent app only to find it’s filled with malware and malicious code or has a dirty little secret its developers didn’t tell you about.

Brightest Flashlight falls into that last category. It claimed to be a simply utility that turned on your handset’s LED flash so you could use it to see in the dark. There are thousands of other apps that do the same thing. But Brightest Flashlight also quietly recorded your device ID and location data in the background, then passed it on without telling you.

There was an “opt-out clause,” BBC News reports, but according to the FTC, it was “meaningless” because Brightest Flashlight shared your data whether you agreed to it or not.

“When consumers are given a real, informed choice, they can decide for themselves whether the benefit of a service is worth the information they must share to use it,” said Jessica Rich, director of the FTC bureau of consumer protection, in a statement. “But this Flashlight app left them in the dark about how their information was going to be used.”

GoldenShores has agreed to tighten up its privacy policy, and the FTC has demanded that it must change the way in which it handles user data. Furthermore, GoldenShores can no longer misrepresent how its apps gather information and who that information is shared with.

Most importantly, all data collected using the Brightest Flashlight app must be deleted, the FTC said.