
The popular apps that are SPYING on you: Cybersecurity experts issue urgent warning over 'data hungry' apps that can access your location, microphone and data
But according to a new investigation, 'data hungry' smartphone apps like Facebook and Instagram ask for 'shocking' levels of access to your personal data.
Experts at consumer champion Which? investigated 20 popular apps across social media, online shopping, fitness and smart home categories.
They found all of them ask for 'risky' permissions such as access to your location, microphone, and files on your device – even when they don't need to.
The experts urge people to be more careful about what exactly we agree to when we download an app and mindlessly agree to permissions.
We could be compromising our privacy when we hastily tap 'agree'.
'Millions of us rely on apps each day to help with everything from keeping on top of our health and fitness to doing online shopping,' said Harry Rose, editor of Which?
'While many of these apps appear to be free to use, our research has shown how users are in fact paying with their data – often in scarily vast quantities.'
Which? researchers worked with experts at cybersecurity firm Hexiosec to assess the privacy and security features of 20 popular apps on an Android handset.
The list included some of the biggest names in social media (including WhatsApp, Facebook, Instagram, TikTok), online shopping (Amazon, AliExpress) the smart home (Samsung Smart Things, Ring Doorbell) and fitness (Strava).
Combined, the 20 apps have been downloaded over 28 billion times worldwide – meaning the average UK adult is likely to have several of them on their phone at any given time.
If someone were to have all 20 downloaded on their device, collectively they would grant a staggering 882 permissions – potentially giving access to huge amounts of an individual's personal data.
Overall, the team found Chinese app Xiaomi Home asked for a total of 91 permissions – more than any other app in the study – five of which are described as 'risky'.
Risky permissions include those that access your microphone, can read files on your device, or see your precise location (usually referred to as 'fine location').
Such data is a valuable commodity and may allow firms to target users with 'uncannily accurate adverts'.
Samsung's Smart Things app asked for 82 permissions (of which eight are risky), followed by Facebook (69 permissions, six risky) and WhatsApp (66 permissions, six risky).
Overall, Xiaomi asked for a total of 91 permissions - more than any other app in the study - five of which described as 'risky'
Xiaomi Home was also one of two apps (alongside AliExpress) to send data to China, including to suspected advertising networks – although this was flagged in the privacy policy by both.
Ali Express requested six risky permissions such as precise location, access to microphones and reading files on the device.
AliExpress also bombarded users with a deluge of marketing emails after download (30 over the course of a month) but the researchers did not see any specific permission request from AliExpress to do so.
Temu, another Chinese-owned online marketplace, also gave a heavy push to sign up to email marketing – which many users could easily agree to without realising, the experts reasoned.
Among social media apps, Facebook was 'the most keen for user data' as it wanted the highest number of permissions (69 in total, six of which risky), followed by WhatsApp (66 altogether, six of which risky).
TikTok, meanwhile, asked for 41 permissions, including three risky ones, including the ability to record audio and view files on the device, while YouTube asked for 47 permissions, four of which were 'risky'.
Overall, 16 of the 20 apps requested a permission that allows apps to create windows on top of other apps – effectively creating pop-ups on your phone, even if you opted out of the app sending notifications.
Seven also wanted a permission that allows an app to start operating when you open your phone even if you haven't yet interacted with it.
In some cases there are clear uses for risky permissions – for example the likes of WhatsApp or Ring Doorbell may need microphone access in order to carry out certain functions.
But other examples the need for risky permissions was less clear cut, according to Which?
For example, four apps – AliExpress, Facebook, WhatsApp and Strava – requested permission to see what other apps recently used or currently running.
The researchers stress that the investigation was conducted on an Android phone and that permissions may vary on Apple iOS devices.
But we should all be more careful of tapping "yes" to permissions while mentally on 'autopilot' without really being aware of what we're agreeing to, Mr Rose said.
'Our research underscores why it's so important to check what you're agreeing to when you download a new app,' he added.
The full findings can be read on the Which? website.
In response to the findings, Meta (which owns WhatsApp, Facebook and Instagram) said none of its apps 'run the microphone in the background or have any access to it without user involvement'.
Meta also said that users must 'explicitly approve' in their operating system for the app to access the microphone for the first time.
A Samsung spokesperson said: 'All our apps, including SmartThings, are designed to comply with UK data protection laws and relevant guidance from the Information Commissioner's Office (ICO).'
Meanwhile, TikTok said that privacy and security are 'built into every product' it makes. It added: TikTok 'collects information that users choose to provide, along with data that supports things like app functionality, security, and overall user experience'.
Strava said that risky permission it takes, such as precise location, allow it to 'provide the very service that our users are requesting'. It said that it has 'implemented appropriate guardrails' around how data is 'collected, shared, processed, and used'.
Amazon said that device permissions are to provide 'helpful features', such as 'the ability to visualise products in their home with their device's camera or search for products using text-to-speech'. It added: 'We also give customers clear control over personalised advertising by requesting consent when they visit our UK store and providing options to opt out or adjust preferences at any time.'
AliExpress claimed that the precise location permission is not used in the UK, and the microphone permission requires user consent. It added: 'We strive to create a platform where consumers can shop with confidence, knowing that their data is safeguarded in accordance with the law and our strict privacy policy. We welcome the findings from Which? as an opportunity to redouble our efforts in this area.'
Ring said that it doesn't 'use cookies or trackers on the Ring app for advertising' and all permission as used to 'provide user-facing features'. It added: 'We design our products and services to protect our customers' privacy and security, and to put our customers in control of their experience. We never sell their personal data, and we never stop working to keep their information safe.'
A Temu spokesperson said precise location permission is 'used to support completing an address based on GPS location' but it is not used in the UK market, adding that it 'handles user data in accordance with local and international regulations and in line with leading industry practices'.
Google (representing YouTube), Xiaomi, Impulse and MyFitnessPal did not respond to requests for comment.

Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles

Finextra
2 hours ago
- Finextra
Trovata buys treasury management system Atom
Cash and liquidity management platform Trovata has acquired treasury management system (TMS) Atom and secured $9 million in investment. 0 Developed by Financial Sciences Corporation, Atom boast a deep treasury feature set, including support for debt and investment instruments, intercompany transactions, in-house bank support, credit facilities, FX hedging, full domestic and international payment workflow, bank fee analysis and bank account management. It will now be integrated into Trovata's cloud-native platform built on corporate banking APIs and AI, in what the firm claims makes it the first modern, viable TMS alternative to the legacy incumbents. In addition, Trovata has raised $9 million in a Series B extension from State Street and The PNC Financial Services Group. This brings the company's total funding to $80 million, with investors including JP Morgan, Wells Fargo, National Australia Bank, Capital One Ventures, and Mastercard. "There hasn't been a new TMS built in nearly three decades," says Brett Turner, CEO, Trovata. "We pioneered corporate banking APIs and the only true cloud-native treasury platform in the market with meaningful scale. Now, with ATOM, we have the firepower to compete directly with the legacy incumbents—and replace them. This isn't just expansion. It's a generational shift in treasury tech."


The Independent
3 hours ago
- The Independent
Google launches AI Mode in the UK amid ‘major shift' in online search
Google has unveiled the UK rollout of a new artificial intelligence-powered tool it believes will revolutionise the traditional online search. Hailed as its most 'powerful AI search to date', the US tech giant is launching AI Mode in Google Search across the UK this week, allowing users to ask lengthy and complicated questions, as well as follow-ups. AI Mode will start to appear as a tab on the Google Search results page and in the Google app for Android and Apple smartphones from Tuesday, and will be available to all UK users over the next few days. The function was launched in the US at the end of May, followed by India earlier in July, and comes in addition to Google's AI Overview, which is now built into its searches. Hema Budaraju, Google's vice president of product management for search, told the PA news agency it heralds a 'major shift' in the way people are using online searches, with questions now becoming longer and more complex. In a blog announcing the launch, Ms Budaraju said: 'AI Mode is a new, intuitive way to address your most complex, multi-part questions and follow-ups, and satisfy your curiosity in a richer way.' She added: 'AI Mode is particularly helpful for exploratory questions and for more complicated tasks like comparing products, planning a trip or understanding complex how-tos. 'In fact, we've found that early users of AI Mode are asking questions that are two or three times the length of traditional search queries.' The tool is powered by Google's latest AI model, Gemini 2.5, and allows users to ask nuanced questions that would have previously required multiple searches. The new search works by breaking down questions into sub-topics and sending out a range of queries on the behalf of users. It will also allow so-called multimodal searches, either by text, voice or pictures. Ms Budaraju said it should make it possible for people to 'find information that was previously much harder to find'. 'This is the beginning of a major shift,' she told PA. Google said it was improving factuality, but that where AI Mode is not confident in the answer, it will instead provide a set of web search results. 'And as with any early-stage AI product, we won't always get it right, but we are committed to continuous improvement,' Ms Budaraju said.


The Independent
3 hours ago
- The Independent
Mobile phone users warned to ‘stop before you tap' amid malicious apps threat
Mobile users are being urged to 'stop before you tap' in a warning about malicious apps that trick people into downloading malware onto their phone, putting their personal and finance information at risk. Anti-fraud, cybersecurity and finance organisations are highlighting a 'surge' in Android malware. They want people to be on the lookout for unexpected updates or 'strange' app requests. Malicious apps may mimic legitimate tools to steal banking details. The Cyber Defence Alliance (CDA), UK Finance, Cifas, and ThreatFabric have joined forces to highlight the problem. In some cases, malicious apps may look like file managers, PDF readers, phone cleaners, or even browsers like Google Chrome, the organisations said. Once installed, they can appear harmless but later activate harmful features through hidden updates. Criminals may use techniques which overlay fake login screens on top of real banking apps to steal login credentials. Deceptive 'busy' or 'waiting' screens may be displayed to mask fraudulent activity. People may also be prevented from exiting the app or restarting their device. They may find that excessive permissions such as 'accessibility' access are requested. People are being urged by the organisations to be vigilant particularly when being prompted to re-authenticate during a banking session; encountering unresponsive banking apps showing 'busy' messages, installing generic-looking apps such as file managers or phone cleaners; receiving unexpected prompts to install or update Chrome; and being asked to grant unusual permissions, particularly accessibility access. International crime groups are at heart of mobile attacks, the organisations said, adding that users in general should be vigilant. Han Sahin, CEO of ThreatFabric, said: 'Just as we've learned to be cautious with links, we now need the same vigilance when installing apps. This is the logical next step in staying safe, and public awareness is crucial.' Garry Lilburn, operations director at CDA, said: 'This crime highlights the growing prevalence and sophistication of mobile malware. 'As we work to better understand and disrupt this evolving threat, it's crucial that financial consumers stay vigilant, follow recommended security tips, and take a moment to verify what's in front of them – before becoming the next victim of this highly targeted fraud.' Dianne Doodnath, principal of economic crime at UK Finance, said: 'We encourage customers to stay alert to all threats of fraud, including the potential for criminals to trick people into downloading malware onto phones which could put your personal and finance information at risk of theft. 'It's important that you keep your phone security system up-to-date and always download from trusted sources to ensure you're protected from the risk of fraud and data harvesting.' Mike Haley, CEO of Cifas, said: 'The surge in Android malware is not just a tech issue – it's a growing threat to consumers and to banking services we all rely on. Criminals are evolving their tactics faster than ever, using deception and stealth to bypass traditional security measures. 'The best defence is awareness. If something feels off – an unexpected update, a strange app request – stop before you tap and always seek a second opinion. Education and vigilance are our frontline tools in the fight against fraud.' Here are some suggestions from the organisations to help mobile users stay safe: 1. Only download apps from trusted sources. 2. Check app reviews and developer information before installing. 3. Keep your device's operating system and apps up to date. 4. Report suspect apps or activity to your bank immediately. 5. Be wary of apps requesting unnecessary permissions.