An 18-month study shows that Android users who download and install free apps end up paying in compromised privacy and security.
An audit of 1.7 million apps in the Android Market, recently renamed Google Play, found that free apps were more than four times as likely to access contact lists as paid apps that had the same functions, British tech blog the Register reported.
The study, conducted by networking company Juniper Networks, also found that 24 percent of free apps tracked location data, compared to 6 percent of paid ones.
Many apps collect location data in order to serve up localized ads. But Juniper found far fewer apps doing business with major ad networks than the overall number of apps collecting location data. To Juniper, that suggested many apps had shadier purposes.
"This leads us to believe there are several apps collecting information for reasons less apparent than advertising, " the company said.
[ How Your Cellphone Lets the Government Track You ]
Giving apps carte-blanche access to a phone's functions and data can put a user at risk of being spied upon by remote commands that silently make calls or activate the camera. Attackers could also use apps to steal photos, text-message archives, account logins and other data.
Across the board, free apps asked for permission to perform unnecessary functions — to send text messages, access contact lists, take pictures or make phone calls — at roughly double the rate of their paid counterparts.
Gambling and racing games are two of the most problematic app categories, the Register reported.
Racing games are often not much more than malware, and 94 percent of casino games request permission to make outbound calls; 84.5 percent ask to send text messages.
The study also found apps with bad communication skills. Some 63 percent of financial apps, for example, requested permission to make outgoing calls in the background, but provided no explanation as to why.
After using several of the apps, Juniper Networks found that the capability was being used legitimately to contact financial institutions.
Juniper Networks said the study reveals the need to better communicate to users what information apps access and what that access allows them to perform.
"There is a big difference between a spyware app clandestinely placing an outgoing call to listen to ambient conversations within hearing distance of the device, and a financial app that provides the convenience of calling local branches from within an application," Juniper Network said. "The manner in which permissions are currently presented does not provide a means for users to differentiate between the two.