The FBI is telling smartphone owners to go into their settings and cut off app access to contacts and location data, warning that permissions granted months or years ago may still be feeding sensitive personal information to unknown third parties. In a public service announcement dated March 31, the bureau’s Internet Crime Complaint Center flagged that mobile apps can persistently harvest address book data, including names, emails, physical addresses, and phone numbers stored in a user’s contacts. The alert lands just days after a separate joint FBI-CISA warning about phishing campaigns that compromise commercial messaging app accounts and hand attackers full access to victims’ contact lists.
Why revoking app permissions has become an FBI priority
The FBI’s March 31 alert, designated Alert Number I-033126-PSA, spelled out a risk that most phone owners overlook: once an app receives permission to read contacts or track location, it can continue collecting that data in the background, even if the user stops opening the app. The bureau warned that this collected information can include not just the device owner’s details but the names, emails, physical addresses, and phone numbers of everyone in their address book.
That warning gained sharper teeth when paired with a joint FBI-CISA public service announcement issued earlier in March. That advisory, Alert Number I-032026-PSA, described active phishing campaigns targeting commercial messaging application accounts. Once those accounts are compromised, the agencies stated, attackers can gain access to victims’ messages and contact lists. The combination creates a two-front problem: apps silently collecting contact data on one side, and credential-stealing campaigns that expose entire address books on the other.
The practical question is whether revoking permissions actually reduces harm. A reasonable expectation is that users who strip contact and location access from apps after seeing these FBI alerts would experience fewer account-takeover incidents tied to messaging platforms over the following six months. No public data from the FBI or IC3 yet measures that outcome directly, so the hypothesis remains untested. But the logic is straightforward: fewer apps with access to a contact list means fewer pathways for that list to reach an attacker, whether through a data-harvesting SDK buried in a free app or through a compromised messaging account that syncs contacts to a server the user never intended to trust.
Android permission gaps and the InMobi precedent
Technical research helps explain why simply tapping “deny” on a permission prompt does not always solve the problem. A preprint study published on arXiv found that Android permission mechanisms can auto-grant permissions within groups, meaning that approving one capability in a permission group can silently unlock others. The same research identified that normal-level custom permissions can expose contacts and location data without triggering the kind of explicit warning most users expect. The result is a gap between what a phone owner thinks they allowed and what an app can actually access.
That gap becomes more concerning when paired with the way many apps are built. Developers frequently rely on third-party software development kits for advertising, analytics, and social features. Once such a component is embedded, it may inherit any permissions the host app enjoys. If the app has contacts or location access, the SDK may be able to read it as well, even if the user never interacts with the feature that ostensibly justified the permission. The FBI’s latest warning effectively acknowledges that permission prompts alone cannot compensate for this complexity.
Enforcement history confirms these are not abstract risks. The Federal Trade Commission alleged that mobile ad network InMobi tracked users’ locations even after those users denied OS-level location permission, and that the company collected location data frequently during app use. In its 2016 case summary, the FTC described how InMobi’s technology inferred location from nearby Wi-Fi networks to sidestep platform-level privacy controls. The case showed that a single ad-tech provider embedded in thousands of apps could override a user’s explicit privacy choice. No publicly available follow-up data confirms whether similar practices have been fully eliminated across the ad-tech industry, which means the risk the FBI flagged in its 2026 alert has a documented track record stretching back at least a decade.
The FBI has also warned about a related vector: criminals embedding malicious code in beta-testing apps. A separate IC3 advisory from 2023 urged the public to restrict app permissions and uninstall unused apps, establishing that the bureau’s current guidance is not a one-off recommendation but part of a pattern of escalating concern. Another FBI cyber alert described how seemingly legitimate apps and services can turn devices into residential proxies for criminals, with critical details often buried in terms of service that users rarely read. Together, these warnings underscore that the problem is not just one or two bad apps, but a broader ecosystem where permissions, embedded code, and opaque data flows combine to create systemic exposure.
Gaps in the evidence and what to do next
Several important questions lack answers. The FBI’s March 31 PSA names no specific apps, app categories, or measured volume of data exposures. Without that detail, users cannot prioritize which permissions to revoke first beyond the general categories of contacts and location. The IC3 has not published complaint statistics or case outcomes tied directly to contact-permission abuse, so the scale of real-world harm from this specific vector is not quantified in any public record.
The FTC’s InMobi enforcement record, while instructive, is now a decade old. No recent public enforcement action confirms whether similar ad-tech location-tracking practices persist at the same scale. The arXiv preprint offers strong technical evidence about Android permission design flaws, but it reports measured examples of what is possible rather than incident counts from official channels. That leaves a gap between what researchers can demonstrate in a lab and what the FBI can document in the field. For policymakers, this uncertainty complicates decisions about whether to mandate stricter default settings, require more granular consent, or impose new disclosure rules on app developers and ad-tech vendors.
In the meantime, the advice for individuals is blunt but actionable. First, open your phone’s settings and navigate to the privacy or permissions section. On most devices, you can see a list of apps that have access to contacts, location, microphone, camera, and other sensitive data. Revoke access for any app that does not clearly need it to function. A navigation app may need location; a simple flashlight or calculator almost certainly does not. For messaging and social apps, consider whether contact uploading is truly necessary, or whether you can rely on manual entry or username-based connections instead.
Second, delete apps you no longer use. Every dormant app with broad permissions represents another potential pathway for data leakage if the developer is compromised, sells the app to a less scrupulous owner, or quietly integrates more aggressive tracking code. Removing unused software reduces the attack surface without sacrificing any functionality you rely on day to day.
Third, be skeptical of any prompt asking you to re-enable contact or location access after you have turned it off. Some apps will attempt to persuade users with warnings about degraded features. When that happens, pause and ask whether the promised benefit is worth the additional exposure. If an app will not run at all without invasive permissions and offers no clear justification, consider finding an alternative.
If you believe your data has already been compromised, the FBI directs the public to submit a report through the IC3 complaint portal and to preserve any relevant messages, screenshots, or transaction records. That documentation can help investigators trace patterns across multiple incidents and, over time, may fill in some of the evidence gaps that currently limit public understanding of contact-permission abuse. Until those numbers are available, the safest assumption is that any unnecessary permission is a liability-and that the simplest step most people can take today is to start saying “no” more often when their apps ask for more than they need.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.