Consumer group uncovers shocking data grabs by major Android apps, including Facebook and TikTok

A new investigation by consumer watchdog Which has found that 20 of the most popular Android apps demand an astonishing 882 permissions between them—78 of which are deemed risky. These include access to your microphone, precise location, stored files, and even the ability to run other apps in the background.

The worst offender was Xiaomi Home, requesting 91 permissions, five of them flagged as high-risk. Samsung SmartThings came second with 82 permissions, including eight in the risky category. Among social media apps, Facebook demanded 69 permissions, six risky, while WhatsApp followed with 66.

Researchers warned that many of these apps collect data far beyond what is needed to function. In some cases, apps asked to access your contacts, camera, and internal storage—raising fears over surveillance and targeted advertising. Users often accept these permissions during installation, unaware of what they are surrendering.

If all 20 apps are installed on one device, the total permissions granted would allow wide-scale surveillance. These include continuous tracking via GPS, audio recording through the microphone, and reading of documents and downloads. Some apps were found to run automatically at startup or layer screens over other apps, a method sometimes used by malware.

Which worked with cyber experts at Hexiosec to carry out the audit. The results shocked campaigners. Harry Rose, editor of Which, said many apps present themselves as free while silently hoovering up user data. He called on tech giants to improve transparency and demanded that app stores enforce stricter controls on permissions.

Notably, two apps—Xiaomi Home and AliExpress—were found to send user data to China, including personal identifiers and location data. Both apps disclosed this only in the fine print of their privacy policies.

Apps from major firms like Meta, including Facebook and WhatsApp, were also found to ask for extensive permissions. Meta has previously insisted it does not access users’ microphones without consent and complies with privacy regulations. Samsung said it adheres to UK data protection rules. TikTok stated its privacy practices meet legal standards, while Strava claimed location access is vital for its fitness features.

Some apps—such as Temu, Amazon Shopping and Ring—can even detect which other apps are installed on your phone. This data is often used to build behavioural profiles that can be sold to advertisers or data brokers.

Experts say users can take back control by carefully reviewing permission requests, disabling access to location or microphone via settings, and deleting apps that are overly intrusive. On Android, permissions can be managed individually per app under the Settings menu.

While apps from the Google Play Store are required to declare data usage, many users never read the privacy notices or understand the implications. Which is now urging app developers to use clearer language and give users real choices rather than burying consent in vague legal text.

The report ends with a stark warning. Your apps may be more interested in your data than in serving you. Without tighter oversight and user awareness, smartphones could become surveillance tools hidden in plain sight.

How to Regain Control

• Review permissions via Apple’s App Privacy or Google’s Data Safety labels.
  
• Read privacy policies—focus on data collection practices.
  
• Revoke risky permissions at any time through Settings > Apps & Permissions.
  
• Delete suspect apps and remove associated data.