By default, apps on your phone have very limited permissions. To gain access to most of your data — and potentially dangerous Android features — they need your explicit consent. Android does that for security reasons; if permissions have potential for abuse, it’s better if an app doesn’t have them by default.
Apps actually need some permissions to do their jobs. For example, AR games really do require access to the camera. But even legitimate apps often want more than they really need. Here are five permissions that bona fide games definitely don’t need, and of course malware masquerading as a game would love to have.
For this post, we’re using the names of permissions and their paths in the “clean” Android 10. In other versions and on devices from some vendors, they may differ slightly.
What it is. Accessibility comprises a set of Android features that can help enable people, in particular people with disabilities, to use the device. Apps with Accessibility rights can see everything that happens on the screen, and control everything as if they were the user: change settings, perform actions in other apps, and so on.
One example of an app that needs Accessibility permissions is a voice assistant, which uses them to execute voice commands and to read information from the phone out loud. Games do not need this feature set.
What’s the danger? An app with Accessibility access can do almost anything on the device. For example, it can perform online banking transactions, write and read e-mails and other messages, change screen settings, and more. Generally, despite the innocuous-sounding name, this is a very dangerous permission.
Where to check. Settings → Accessibility
Device admin apps
What it is. Device admin apps involve remote control of the device. The permission might be needed if the phone is used for work, for example, and the company’s system administrators require access to it. Generally apps do not need this permission — and you certainly should not grant it to games.
What’s the danger? Armed with admin rights, apps can change the device’s password, lock the screen, delete files, and so on. What’s more, getting rid of a “game” with admin rights won’t be easy; the permission is intended for corporate admin tools that employees should not remove from the phone.
Where to check. Settings → Apps and notifications → Advanced → Special app access → Device admin apps
Install unknown apps
What it is. Permission to install unknown apps means having the ability to download other apps from anywhere, not only from Google Play. Games simply do not need that ability.
What’s the danger? Even if a game isn’t malicious, this permission lets it download “partner apps” to your smartphone or tablet, and those can be very difficult to get rid of later. Moreover, some partner apps might slip you some genuine malware. Don’t give this permission to anything, and download apps only from official sources.
Where to check. Settings → Apps and notifications → Advanced → Special app access → Install unknown apps
Display over other apps
What it is. Permission to display app windows on top of any running apps. Facebook Messenger uses this feature to show the chat icon even when you’re using another program, for example.
What’s the danger? This permission offers minimal benefit to the user, but it can cause significant harm. An unscrupulous game might use it to display banner ads on top of other apps. And if it turns out to be malware in disguise, it can lock the screen and demand ransom, or sneak in a fake form for entering bank card details. Or overlay a fake virtual keyboard atop the real one to read everything you type.
With a clever overlay obscuring the app you think you’re using, criminals can also get your consent to just about anything. In one scenario, an app requests access to, say, Accessibility permissions, and displays a window over it with an innocent message — say, that the content is temporarily inaccessible. This window covers everything except the real OK button in the request. The unsuspecting user taps it, and boom, cybercriminals have Accessibility in the bag.
Where to check. Settings → Apps and notifications → Advanced → Special app access → Display over other apps
What it is. SMS permissions give an app the ability to read and send SMS, MMS, and WAP Push messages. Games don’t need it, and they can’t even get it unless you make them your default app for handling text messages. But malware pretending to be a game may demand it.
What’s the danger? With access to text messages, apps can subscribe you to paid services by sending messages to short numbers. They can also spam your contacts (on your dime).
Most dangerous of all is that this permission lets apps intercept text messages with one-time confirmation codes from banks, enabling attackers to log in to your personal account and steal your money.
Where to check. Settings → Apps and notifications → App permissions → SMS and Settings → Apps and notifications → Advanced → Default apps
Don’t give games more than they need
Android offers lots more permissions. Here, we’ve just covered those that must never be given to games under any circumstances. But you should treat other permissions with care as well.
When it comes to device security, you can never be too cautious. If some three-in-a-row game wants access to your camera or microphone, just say no. And if a game really does need a permission to work, you can always issue it later.