Over 1000 Android apps on Google Play accessed user data without proper permissions

Unbelivable. How can you fight it off? ...

Despite user perception, Android is actually quite secure as a mobile OS. We generally accept the premise that the weakest link is the user; so long as you watch what you install and what permissions you grant, you should be safe from unauthorized access and distribution of your data. If you deny an Android app access to your location, then that app shouldn’t have any way to figure out where you are or where you’ve been. However, some app developers have figured out ways to get around Android’s permission model, according to researchers from the International Computer Science Institute (ICSI).

According to CNET, the study was presented last month at PrivacyCon after being responsibly disclosed to both Google and the FTC last September. Although the paper published on the FTC’s website doesn’t list the exact apps that the team flagged in their analysis (those details will come later at the Usenix Security conference next month), it does provide details on their analysis method and how the apps were bypassing Android’s permission model. For what it’s worth, Google says that the security and privacy changes that Google has introduced in Android Q will close these bypass methods, thus this paper provides valuable insight into Google’s justifications for some of the platform changes they’ve made in Android 10. Let’s dive in.
How >1000 Apps Bypassed Android’s Permission Model

The researchers distinguish between two different security circumvention techniques: ...

More at xda-developers.com

 

You should get rid of Google Play services in the first place. You can check our wiki or take a look at xda. Just click on the link above.

For other solutions you should use XPrivacylua and AFWall+.
XprivacyLUA fakes your important data.  AFWall+ is used to block certain applications so that, for example, they cannot connect to the Internet. An iptables firewall.

Source code:
XPrivacyLUA
AFWall+