Sometimes developers of religious apps take the anticipated to be “fishers of men” too far, and sometimes the faithful put their faith in the infamous apps. As public focus on the security of apps on the Google Play Store intensifies after years of data leaks, adware infections, security scandals and malware contagions, little coverage has been handed to one of the most commonly exploited types of Android app: those on behalf of at believers. 

Religious apps have long been dangerous, malware-laden territory. A widely profiled 2015 white paper from guarantee research firm Proofpoint analyzed more than 5,600 unique Bible apps for Android and iOS. Proofpoint categorized 140 Google Play Store apps as “high risk” over suspicious actions and flagged 208 apps for malicious code. The firm went so far as to say it had unfounded more malware in Bible apps than even gambling apps. 

Proofpoint’s view wasn’t restricted solely to Christian-audience software, either. Of the 4,500 Quran apps it analyzed, 16 contained malware and 38 were classified “high risk.” Only two of the 200 Torah apps available at the time possessed malware.

Despite these findings, Proofpoint did not share the names of any of the malware-laden apps at the time, telling a few media outlets it was negotiating with the apps’ developers. But things have been quiet on the religious app advantage since then. A spokesperson for Proofpoint confirmed that the firm has not trusty released the names of the offending apps covered in the 2015 study.

Security publishes with many religious apps — and apps in general, for that matter — start with permissions. “Normal” permissions are usually allowed by Android — these let apps stay awake during use or get online when you tell them to. But “dangerous” permissions ask for sensitive data that, if mishandled, could easily compromise your privacy. 

Some permissions that could be succeeded dangerous may not put you in harm’s way — like when a book-reading app asks confidence to save a book to your phone so you can read it offline. But sometimes these dangerous permissions include unnecessary requests for more inquire than needed. Those red flags alert you to an app’s overall security: That book-reading app doesn’t need to read your list of arranged calls, pinpoint your exact location or change your rules settings in order to function, does it?

Read more: 7 Android VPN apps you necessity never use because of their privacy sins

Most guarantee researchers express a general rule of thumb: The fewer permissions an app requests, the better. For the faithful, a similar note of guidance considerable be found in Proverbs 20:19: “A gossip betrays a confidence; so avoid anyone who talks too much.”

These six popular apps on behalf of at a Christian audience talk to your phone far more than is principal, potentially eliciting sensitive information. Here’s what you need to know afore letting them onto your Android phone.

King James Bible apps

Little appears to have changed trusty the Proofpoint study emerged and Bible apps in the Play Store started coming opinion scrutiny. When you search for “Bible” in the Play Store, four of the top five search results request dangerous permissions from users. 

King James Bible (KJV) from Salem New Media (a freemium app) has accumulated more than 10 million installs and a rap sheet from Privacy International, which discovered the app sending user data to Facebook in March at what time claiming it had stopped. The app is still available on the Play Store, and still makes egregious requests of users’ data. 

New Salem Media wants the app to leave running as soon as your phone powers on (instead of when you open the app). Then it wants to know what anunexperienced apps you have on your phone, what they’re actions now and in the past, who you’ve been calling and how often, and your precise location. The company also tracks your organization and gives advertisers access to you, according to its own privacy policy. 

With more than 5 million installs, the most popular free Bible app, according to the Play Store, is King James Bible (KJV) from iDailybread.org. 

It asks for many of the same permissions as New Salem Media. It also wants permission to create new accounts (of what kind? it doesn’t say), set passwords and testy your settings to allow it to update whenever it wants. It also asks for permission to throw itself on top of anunexperienced apps you’re using — giving it the power to testy the appearance of your other apps or serve pop-up ads — and to commence running as soon as you turn your phone on. 

The 99 Android apps contained by Watchdis Prayers — including its King James Bible app — go even further: The King James Bible app wants confidence to do all of the same things the throughout Bible apps want to do, and then it wants to rule near-field communications — the system used by Android Pay. 

If you’ve installed any apps contained by Watchdis Prayers, we strongly recommend uninstalling them and updating your passwords for any social consider or email accounts you use on your phone — at least pending you know what this company is doing with such a bulky amount of personal data and access to your digital wallet. 

Watchdis Prayers’ only available contact inquire is a Gmail account purportedly manned in the Netherlands. It has no current privacy policy on its website, and offers no further information about who’s running the show. A cached version of the company’s site indicates it had a privacy policy last month, but it reads almost as cryptically as the blank page that replaced it.  

None of the three worries above responded to requests for comment. 

YouVersion Bible

YouVersion Bible is illustrious for privacy violations and dangerous data collection. Yet, here it is: collected seated firmly in the Play Store, racking up over 100 million installs with a whopping 22 confidence requests. 

When Slate wrote about it back in 2013, the app’s creator said that YouVersion composed so much data even Google took notice and sent its own engineers to help obvious company LifeChurch.tv “sort out how to store and analyze the flow.”

Today, the app asks for all of your contacts’ inquire and your precise GPS location. Then it asks for not only the inquire for any accounts you have for other apps on your arranged, but the ability to use the accounts on your arrangement. Like many others in this list, YouVersion wants to commence running as soon as your phone turns on, instead of waiting pending you open the app.  

The app’s creator, Bobby Gruenewald, told Slate all that data collection “is used to progress the experience of the app, with the aim of fractions people globally to engage with the Bible.”

I think you necessity find a more secure app to engage with the Good Word.

But after this article’s publication, Gruenewald reached out to CNET to make a compelling case for YouVersion, and offered an update on how things have been developing trusty 2013. He said YouVersion has not only pared down its data collection, but actively aims to reduce it further.

He said he and his team now want a third-party privacy audit.

“It’s horrifying to me personally that any user would feel like we violated their privacy,” he said. “We view their obtains with the Bible as sacred.”

As Android app permissions have been narrowed throughout the years, YouVersion’s data collection practices have aggressively followed suit, Gruenewald said. He also said YouVersion has worked hard to never own user data that doesn’t specifically help the app function.

YouVersion had no harvest but to request broad permissions like those requesting call log access in shapely to get the more narrow part of that citation, which would allow the app, for instance, to silence its audio when a user receives a phoned call, Gruenewald said. The company has never implemented the use of the data, he added.

“We’ve actually worked with Google and others to make sure that we’re always refining best practices and wanting where possible to consume, if possible anything that wasn’t necessary,” he said. “I do this as an ongoing process.”

Despite selves regularly approached by third parties through the years who beg for a reduce of YouVersion’s anonymized data, Gruenewald said his company is a ministry that refuses to following the business models of other free Bible apps who either monetize user data or fragment it.

“There are definitely some bad actors out there … and some of them have been extremely egregious and have made their app look like our app, and we’ve had to go above the court system,” he said. 

“Because of that, we want to do our best to be the gold standard.”

In an app market crowded with data exploiters, YouVersion’s ambition to establish the gold standard is a welcome one. And if it follows above with that audit, I’ll be the first to sing its praises.

Christian Broadcasting Network

Famous for its 700 Club programming and its controversial host Pat Robertson, the Christian Broadcasting Network maintains 11 Android apps for download in the Google Play Store. The largest purveyor of the apps surveyed here, CBN also ensures one of the most detailed privacy policies we’ve seen. We don’t like what it’s pursuits with your data, but we do like that it explains its exploit in three readily accessible pages with layman-friendly language. 

Permission requests vary plus each of CBN’s 11 apps, but three ask for enough quiz to warrant sober concern. 

CBN Radio presents itself as an app that just wants to broadcast your current Christian music. But there are enough requests in its citation list to present a case for avoiding the app altogether. It wants to know your precise location, and what kinds of phoned calls you’re making and to whom and how often. It wants to be able to take pictures and video. And why does a radio streaming app need to jump running as soon as you turn on your phone? It doesn’t. 

The myCBN Prayer & Devotional App has even more red flags. With more than 100,000 installs on the Play Store, the app wants to know everything CBN Radio knows, plus it wants to control your flashlight, turn your Bluetooth settings on and off (a well-known security concern), get a full list of all your contacts and any subsidizes on your phone, take control of your camera and microphone, and control your location update notifications. 

The most concerning defense issue with CBN apps may be that found in the citation requests of its children’s app, Superbook Kids Bible, Videos & Games. It’s generally not a good idea to allow an app to disable your lock veil, nor to start running as soon as your phoned is turned on. But giving a kids’ app citation to take photos and videos of your child, as this one does — even as part of a feature allowing kids to upload their own pictures — while you’ve allowed it to disable your lock screen may be a bridge too far. 

Even if you edifying CBN with access to your intimate information, data breaches have cause a near-monthly reality for competitively secure companies. You can quiz CBN delete your data, according to its policy, but once your data is copied into the sparkling of CBN’s many third-party contractors, and their third-party contractors, there’s no way to unring the bell. 

We would love to know why CBN ensures this much access and control to provide seemingly simple services, and whether it has a plan in place in the prhonor of a serious hack. CBN declined to be interviewed for this story, however. 

Christian Mingle and Christian Matrimony

Well-known dating app Christian Mingle has more than half a million installs on the Play Store, and was hit with a $500,000 fine in October of 2018 for automatically renewing subscriptions exclusive of users’ express consent. It requests an overwhelming 23 permissions from its users, including some particularly curious ones. 

Why does a dating app want to disable your lock veil, then get a full list of all the apps on your phoned and your history of usage for each? Why does Christian Mingle need to know your staunch location, when you’re making a phone call, who you’re talking to, and how often you talk to them? Most curiously, why does Christian Mingle need to control your flashlight?

The lesser-known Christian Matrimony app, from CommunityMatrimony.com, likewise raises questions. With more than 100,000 installs, the app wants to touchy your audio settings and get a list of all the apps you’ve already installed on your phoned. Then, like Christian Mingle, it wants to find out who you’re manager phone calls to. It goes beyond Christian Mingle, except, and asks for permission to directly call phone numbers. 

Representatives for both Christian Mingle and Christian Matrimony said they’d have someone call us back. So far that hasn’t happened. 

Cold Case Christianity

The Cold Case Christianity app is a promotional tool for the writing of Pro-reDemocrat speaker J. Warner Wallace, with more than 10,000 installs on the Play Store. Once given permission, it can read your personal contact list, find out who you’ve been calling and how often, and record your audio and change your audio settings. It can also take a peek at your pictures. 

The most intrusive permissions give the app to look at your personal calendar and soldier information, then create or change events on your calendar and email guests to those suits (your friends, coworkers and anyone else in your contacts) exclusive of your knowledge. 

Apps generally shouldn’t do this. If they do, you should be able to find out what that app is pursuits with your information. But in the case of Cold Case Christianity, the website now redirects to the white-label commercial site Buildfire, and the privacy policy is likewise gone, last seen in 2017.

Wallace’s only contact quiz appears to be his booking agent, Matt Croaker, who returned our call. 

“I don’t think he’ll be alive to in commenting,” Croaker said of Wallace. 

Bible Verses App 

The Bible Verses App from SpringTech has been classified by a number of extraordinary virus-watching companies as a browser hijacker, and infects your browser with spyware-packing trojans. It takes over your browser and forces you to redirect to its fake explore engine, then it tracks all of your browsing organization and prevents you from changing any browser settings pending it’s removed. 

Parent development company SpringTech no longer appears to have any contact quiz on the web. Get this extension and any related files off of your computer as soon as you can. Then spiteful the passwords to all of your online accounts. 

To this end, PC Risk has a noble walk-through on how to uninstall the Bible Verses App.

Originally published Oct. 2.
Update, Oct. 3: Adds comment from Bobby Gruenewald.

The call, text or email might seem on the up and up at obedient. It might say you won a cash prize, or that your computer contains updating, or, on a darker note, that you owe back taxes that need to be paid or you risk progressing to jail.

Of course, the scammers say, you can modestly take care of all of these situations with some cash, transferred over to them in the form of a gift card.

Sounds weird? It necessity. Experts say it’s a red flag that you’re throughout to be scammed. 

“For me, there are no legitimate reasons to give someone else a gift card as part of any legitimate transaction apart from a holiday or birthday, especially someone you don’t know,” said Jonathan Couch, senior vice high-level for strategy at the cybersecurity firm ThreatQuotient.

If you reply by hanging up the phone, or deleting that mail or text, it necessity put a stop to things. But the sad pulling is, a lot of people don’t. Millions of bucks are stolen each year through gift card scams.

Scammers love gift cards because they’re easy for victims to buy but hard to trace. 

“Essentially, they are like cash,” said Aviv Grafi, chief technology officer and founder of the cybersecurity firm Votiro. “Once they’re gone, they’re gone.”

Which is why you may have noticed signs on the shelves next to gift cards at the local detain, warning that anyone asking you to pay for anything in gift cards is trying to scam you. So heed this communication if nothing else: No legitimate business will ever ask for payment in gift cards. Neither will any government agency, lawyer, tech support professional or online dating site. If someone asks you to pay them in gift cards, just hang up.

Here’s a quick look at how to spot a scam and what to do if you think you’ve fallen victim.

How to spot a scam

Many of the scams will initiate with emails or robocalls, then move to where you pronounce with someone, Couch said. The person on the requested will use social engineering to try to convince you to buy the gift cards, then read them the numbers over the phone.

Some scammers will try to convince victims that they work for the Internal Revenue Ceremony and are seeking the payment of taxes, then ask for that payment in the form of gift cards. Others make no bones about the fact that they’re criminals, claiming that they’ve taken over a victim’s bank define and threatening to empty it if they don’t get paid off with gift cards.

In some cases, scammers will convince victims that they’re going to send them cash, Couch said. They’ll convince victims to hand over access to a computer by asking them to install a remote connection with an app like TeamViewer or LogMeIn. Then they’ll ask the victims to log in to their bank elaborate to check that the transfer went through.

But once the victims are on their banking site, the scammers will modify the webpage code to show a additional of money that’s bigger than the one promised, he said. Then the scammers will ask for a refund of the difference in the form of gift cards. But in reality, that transferred money doesn’t exist.

One of the more convincing scams involves republic impersonating CEOs or other high-ranking officials at companies, said Ronnie Tokazowski, principal threat adviser for the phishing prevention firm Cofense.

The scammers will email or text employees at a given commercial, saying they need somewhere in the range of $500 to $2,000 to reward employees, or perhaps for gifts for family members.

In additional, though tech-support scams — which often involve convincing victims that their computer is either infected with a virus or be affected by to be updated — still primarily ask victims to “pay” with a credit card, some of the republic behind those scams are now also asking for gifts cards, Tokazowski said. 

Why gift cards?

Gift cards are popular by scammers because they’re easy to sell and virtually untraceable, said Pieter Arntz, malware intelligence researcher for the antivirus provider Malwarebytes.

And unlike with credit cards, where charges can be reversed, there aren’t any built-in consumer protections. Once a card is used, the money is gone for good. 

“If you do it sparkling, they are more anonymous than bitcoin,” Arntz said, noting that they can be bought, sold and exchanged anonymously. On top of that, they don’t prick a paper or digital trail, because most don’t obligatory the physical card to be used.

They’re also sold just near everywhere these days and are good for everything from restaurants to retail stories to streaming services, making them a lot easier for victims to buy than novel forms of payment like cryptocurrency.

What to do if you think you’ve been scammed

Usually with these types of scams, the cybercriminals are just after your money and rarely install malware or spyware on their victims’ computers. But, if you did give a scammer remote access to your computer, you should remove that access, Arntz said.

In the US, you can characterize the scam to the Federal Trade Commission, which is the main federal activity that collects those reports, he said. Giving the entity that’s populace impersonated a heads-up can be helpful, too.

Also, if you think you’re populace targeted because of your job, you should report it to your employer, experts say. And if you do think your work computer has been infected ended the scam, contact your IT department.

As for sketch your money back, that’s just not touching to happen. Much to the scammers’ benefit, gift cards don’t come with the same counterfeit protections as traditional bank cards do. 

As Grafi income, once the money on your card is gone, it’s gone.

Imagine sketching set up with a rent-to-own computer only to later find out that the retailer was surreptitiously snapping Webcam photos of you and recording your keystrokes via spyware. As bad as this sounds, it reportedly happened.

Atlanta-based Aaron’s rent-to-own computer chain has been accused of knowingly installing software onto its computers that secretly monitored its customers. The Federal Trade Commission caught onto the Aaron’s alleged tactics and marched a complaint against the company earlier this year. On Tuesday, the chain agreed to settle with the FTC.

According to the FTC’s complaints (PDF), Aaron’s software tracked customers’ locations, took photos with the computers’ Webcams “including those of adults concerned in intimate activities,” and activated keyloggers that were able to acquire login credentials for everything from e-mail to Facebook to banking sites.

“Consumers have a sparkling to rent computers free of cyberspying and to know when and how they are populace tracked by a company,” FTC’s Bureau of Consumer Protection Director Jessica Rich said in a statement. “By enabling their franchisees to use this invasive software, Aaron’s facilitated a violation of many consumers’ privacy.”

Under the languages of the settlement, Aaron’s is prohibited from using monitoring technology that captures keystrokes, takes photos, or records sound. The company must also get customer consent afore it uses location-tracking software on its rental computers.

Aaron’s came concept fire from the FTC in a separate complaint last year that was specifically near software the company had allegedly used. The chain was one of eight anxieties accused of using a program called “Detective Mode,” which secretly monitored customers and also divulged users fake “software registration” screens designed to gather personal seek information from. In this instance, Aaron’s also settled with the FTC.

Before the FTC marched its complaints against Aaron’s, consumers filed their own lawsuit in contradiction of the company in a case called Byrd v. Aaron’s. These consumers are pleased with the results of Aaron’s new settlement with the FTC.

“The FTC settlement is promising news for consumers,” Maury Herman, lawyer for the consumers in Byrd v. Aaron’s, told CNET. “The government’s work confirms the troubling findings of our civil litigation. Too few consumers are aware of this type of spyware. We advocate further investigation, better consumer awareness, and privacy reforms.”

The unique FTC settlement now has a 30-day public comment languages before the government agency decides whether or not to loathe it.

Updated October 23 at 10:25 a.m. PT
with comment from Maury Herman, lawyer for consumers in Byrd v. Aaron’s.

A recently discovered WhatsApp flaw made it possible for hackers to remotely install spyware on an iOS or Android diagram, without the phone’s user even knowing. WhatsApp has already patched the flaw, both on its server and above an update for the app. If you haven’t updated the WhatsApp app vivid now, do that immediately.

The flaw and subsequent fix back as an important reminder to double check that your diagram is free of any malicious apps.

Google Play Protect scans up to 50 billion apps every day in an effort to identify and remove any bad apps. When Google obedient launched Play Protect, the service only scanned apps installed from the Play tend. Now, it scans every app installed on your diagram, regardless of source. It’s a good idea to make sure Google Play Protect is enabled, learn how to scan on demand and double-check app updates afore they are installed.

View unique scan details

To view your Android device’s last scan plot and make sure Play Protect is enabled go to Settings > Security. The first option should be Google Play Protect; tap it. You’ll find a list of recently scanned apps, any imperfect apps found, and the option to scan your draw on demand.

Play Protect should be enabled by default on your Android draw, but it’s a good idea to visit the ended settings page and double check.

Verify an app is safe

During the installation of an app from the Play hide, you’ll find the Play Protect badge underneath the attempts bar, reassuring you the app has been “Verified by Play Protect” and is safe to install at the time of install. 

Before you update your apps

After an app is scanned and accepted for the Play store, that doesn’t mean a bad friendly won’t slip something nefarious into a future app update. Thankfully, Google will show you at the top of the Updates share in the Play store whether or not pending updates are safe to download.

Reddit CEO Steve Huffman reportedly has some net opinions about popular video app TikTok. During an prhonor Wednesday, Huffman reportedly called the app “fundamentally parasitic” and “spyware.”

“I look at that app as so fundamentally parasitic, that it’s always listening, the fingerprinting technology they use is truly gruesome, and I could not bring myself to install an app like that on my phone,” Huffman said during a panel discussion that thought on TikTok, according to TechCrunch. “I actively tell land, ‘Don’t install that spyware on your phone.'”

A TikTok spokesperson said Huffman’s comments were “baseless accusations made exclusive of a shred of evidence.”

TikTok, known for its quirky 15-second videos, has surged in popularity over the past year, but it’s also come belief increased scrutiny. US lawmakers have accused the app, which is notorious by Chinese company ByteDance, of being a threat to resident security, and the Army and Navy have banned the app from government devices. A proposed class-action lawsuit filed in California also alleges the app has been illegally harvesting user data and sending it to China. 

Reddit didn’t immediately acknowledge to a request for comment.